Schneier on Security
A blog covering security and security technology.
« Reducing Bribery by Legalizing the Giving of Bribes |
| Counterterrorism Security Cost-Benefit Analysis »
April 5, 2011
I have no idea why the Epsilon hack is getting so much press.
Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks.
So what? These sorts of breaches happen all the time, and even more personal information is stolen.
I get that over 50 companies were affected, and some of them are big names. But the hack of the century? Hardly.
Posted on April 5, 2011 at 12:58 PM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
On another hand, I would like to know (just out of curiosity) what hack would Bruce classify as the "Hack of the Century"?
(If any such hack exists, that is)
The broadness + company-name factors of this situation seem to be the only reason this is even getting press. The actual situation puts customers in little danger they weren't already in.
Spam already comes in for many of the affected companies and I don't think having an the existing database of customers really makes the spam more effective to con people; it may help reduce the workload to 'conversion' ratio of a spammer, though.
This entire situation is obviously 90% hype and 10% 'oh no!' -- now if we could just calm everyone down...
Is there a downside to making a big deal out of the theft of personal information? The damage is largely intangible, but it is real.
I think a large part of it is all the warning e-mails going out. Large data breach, plus e-mail warnings for each compromised address at each company, equals lots of people getting at least one warning e-mail, and many people getting multiple warning e-mails.
The spammy nature of the Beast Buy message also got lots of attention.
Yes, I know it's early in the century, but my vote would be for Stunext. That was one hardcore, complicated, multi-vector smack down. I would have loved to have seen this brain child get born: "So, you want reprogram the PLCs inside secret Iranian nuclear facilities by writing a computer worm to take advantage of Windows 0-days. And you say it will spread like wildfire across the Internet, but be fairly benign. Brilliant. Do it."
HBGray would be an honorable mention due to the pure irony of it all.
@drootzler: "Is there a downside to making a big deal out of the theft of personal information?"
In the scheme of things, yes. It's the "crying wolf" mistake. If we exaggerate things like this too often, no one listens when it is serious.
Oh my God #1. Panic. Nothing happens.
Oh my God #2. Concern. Nothing happens.
Oh my God #3. Shrug. Nothing happens.
Oh my God #4. Rolls Eyes. Nothing happens.
Oh my God #5. Yawn. Then... what do you mean there isn't enough in my account to cover a $10 check?
Overreaction may yield some short term vigilance, but it results in long term inattentiveness.
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
We have been informed by Epsilon Interactive, a vendor based in Dallas, Texas, that files containing your email address were accessed by unauthorized entry into their computer system. Epsilon helps us send you emails about products and services that may be of interest to you.
We want to assure you that U.S. Bank has never provided Epsilon with financial information about you. For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, visit:
In addition, if you receive any suspicious looking emails, please tell us immediately.
Call U.S. Bank Customer Service at 800-US-BANKS (800-872-2657).
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions, or need any additional information, please do not hesitate to contact us.
"If only they had chosen passwords 20 characters long and changed them every ten minutes." Is that what you're going to say next? Or, was it "if only they had examined their server logs continually they would have noticed something was up, but because they're stupid and lazy that's why this happened."
One potential threat not mentioned in the pressers is that the stolen emails plus weak passwords plus dictionary attacks could be used to access online accounts, even at websites not affected by Epsilon. I'll wager that weak, reused passwords are a LOT more prevalent among these stolen emails than strong, unique ones.
Epsilon says this affects only 2% of their customer base (or about 50 companies). Is that really true?
So far, I've heard of 38 different brands that have sent out disclosures.
@stvs: "One potential threat not mentioned in the pressers is that the stolen emails plus weak passwords plus dictionary attacks could be used to access online accounts, even at websites not affected by Epsilon."
I think that's a fair point. Dual Use is a risk almost anywhere.
I can see where getting the email address HJohn@email.com and knowing it's a chase user would be exploitable. Crack email.com's weak encryption without noticed due to poor detection, then use the same password with account HJohn. If you get in, they then say "we don't recognize your computer, select where we can send you a security code..." One of the options is likely HJohn@email.com, which you already have.
Of course, this risk exists even without this type of a disclosure. once someone gets an email address, they can try it as a user ID and password on any banking or financial site. This particular disclosure just gives them a little more knowledge.
It is still more of a problem with dual use than disclosure, since email addresses are often public anyway.
I can just see some reporter now "This means that hackers may well have your name and e-mail address. If hackers already had your name and e-mail address, then now they have it again. If hackers do not have your name and e-mail address, then you would know it by the complete absence of spam in your e-mail account. For those who have an e-mail address but have never received spam there is an increased risk. We spoke to both of them today, and they assured us that, while they are concerned about this turn of events, they have never given their e-mail address to any of the affected companies. If you want to ask them yourselves, you can e-mail them at ..."
Obviously, if my email was held by 30 of the affected companies, this breach will affect me 30X as much. If they had one copy of my email address, that's one thing...but 30?
If someone wants to use the same password for their email address and bank account, and if they use the same user ID for both, there isn't much the bank can do about it.
One thing a bank could probably do though is disallow the association of an email address with their bank account if the ID for the email address is the same as the users bank ID. I know, easier said than done, but aside from that banks can't really do much about dual use.
It's getting press because everyone's email boxes are filling up with breach notices. I've got 7 so far - Tivo, Marriot, Chase, 800-Flowers, MasterCard, Hilton, Brookstone. If I worked for "the press", I'd write about this, too.
Does this mean these companies are now free to sell all these email addresses to third parties without fear of repercussions? I mean, when I start getting spam at "email@example.com" how will I know if Best Buy sold it or the spammer acquired it from the hackers?
@keepingsanity at April 5, 2011 2:11 PM
One thing the disclosure statement you posted was missing was a statement on password security. I know that passwords weren't what was disclosed, it probably couldn't have hurt for them to say something like this:
"While your account passwords have not been compromised, we have no control over the security of the passwords for your email accounts. If you are using the same password for your email account and your bank ID, we strongly advise you to change your bank password and not use the same password for both."
May not help, but couldn't hurt.
As a valued U.S. Bank customer, we want to make you aware of a situation that has occurred related to your email address.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email.
Posted by: keepingsanity at April 5, 2011 2:11 PM
I've seen a similar notice from Chase Bank, which also included the following line.
"Don't use your e-mail address as a login ID or password."
I'm sure most financial institutions involved in this disclosure is being extra diligent in monitoring suspicious logon behavior right now.
So Easy way to avoid problems such as this. Buy a domain.. Pay for Email service. Set up a catchall that forwards to gmail account. Then when you create account at say bestbuy.com you can register with email such as firstname.lastname@example.org then when this ( email addresses stolen) happens you create a filter for email@example.com to be automatically deleted. Problem solved.
Someone mentioned that Gmail supports "+" addressing, so you can create 'unique' email addresses simply appending a tag to your regular address -- 'firstname.lastname@example.org' becomes 'email@example.com' and 'firstname.lastname@example.org' and so on.
Sadly, there are many sites out there who won't accept a "+" as a valid character in an email address. I used this method for years on a previous ISP until most of the site I used stopped allowing me to utilize the (RFC compliant!) "+" addressing scheme.
Anecdotally I'd say about 20% of sites (or registration opportunities) refuse plus-addressing.
Please remember that U.S. Bank will never request information such as your personal ID, password, social security number, PIN or account number via email. For your safety, never share this or similar information in response to an email request at any time. To learn more about recognizing online fraud issues, just enter your account number and PIN at:
I am very surprised Bruce is surprised. It's not the names and e-mail addresses, it's all the metadata.
At the very least, the attackers have obtained the stripped-back customer databases of dozens of Epsilon's customers. The marketing value of these lists is enormous: someone can now cross-correlate customer relationships across multiple brands.
The million dollar question is, what other metadata has been exposed? We know breached organisations are economical with the truth. So let's not casually assume just yet that the problem is limited to names and e-mail addresses. And let's press for full disclosure by Epsilon of all data types involved.
It would be a very strange customer database that contained names and addresses and nothing else at all. And it would be a very odd attack that stopped short of uploading all the other customer files they could find (like e-mail logs) once they got in behind the firewall.
Whats the talk about compromised email passwords? I dont recall that from Krebs initial report. The links say that the companies that email ads were compromised and the attackers just got the names and email addresses. The attackers dont have ur bank or email password unless u personally gave it to the email ad companies.
On other hand, i found it amusing that black hat spammers stole info from what are basically legal spammers.
There were no compromised email passwords, to my knowledge. If that's how I sounded, it was unintentional. I was simply saying that it may be in the best interest of the institutions to encourage users to not use the same password for the email as their account logon, if they are doing so.
Basically, I do see a potential dual use risk here, where if an email provider has crappy password security and the user has the same logon ID and password for both the email and account, they could get an account password by cracking the weaker email password.
Mostly, just a casual discussion of risks and remedies.
i couldn't agree more with Bruce. I ignore so many phishing attempts on a weekly (sometimes daily) basis anyway that this isn't going to make much of a change.
It is not what they got but what they will get next. Since these companies sending me the "don't worry be happy" e-mails have not, addressed what they are going to do to Epsilon or how they will protect my information in the future from going to some 3rd party an d being hacked. It is not about what happened but what will happen. I feel it was a blame the victim mail. We lost your data but you need to protect yourself. Maybe privacy is dead.
Thanks for your clarification. Yes, there is certainly a dual account risk. I remember that back in high school during our... uh... "impromptu, post-negotiated pen tests"... we could often gain access to one server using credentials from a totally unrelated service.
I've also noticed how often people re-use passwords. I do too, but I have several. Each one represents a level of criticality and I make sure I match each to the right site: a password for critical and trustworthy sites won't be re-used on an untrustworthy or even non-critical site. Of course, to keep risk low, I have to change *every* password if a compromise occurs, just in case. Some have suggested a password manager and random passwords.
Well, I'm concerned about putting all my eggs into one digital basket. A more proper analogy would be "safely" storing all your Jack Daniels in a collander. Both the data and the Jack will find their way out somehow. ;) Keeping it all on paper is risky due to robbery, but perhaps putting it on a money belt or in a hidden pocket might work. The thieves haven't started stealing most targets' pants... yet.
"So Easy way to avoid problems such as this. Buy a domain.. Pay for Email service. Set up a catchall that forwards to gmail account. Then when you create account at say bestbuy.com you can register with email such as email@example.com then when this ( email addresses stolen) happens you create a filter for firstname.lastname@example.org to be automatically deleted. Problem solved."
That's exactly what I do. Every company I do business with is given it's own email address.
Many of these appear to get hacked. OK for me, I just change drop that address. Surprisingly enough, quite a few big names (major banks/search engines) have fallen pray to this (and no notification has ever been received).
@ Stephen Wilson,
"At the very least, the attackers have obtained the stripped-back customer databases of dozens of Epsilon's customers. The marketing value of these lists is enormous: someone can now cross-correlate customer relationships across multiple brands."
I'm glad somebody else spotted this.
Of course if the already have a minimal DB they may well be able to fill in a very large number of blanks as well.
As I've been pointing out for quite some time now the likes of "bot net herders" are very much undervaluing their assets...
The chances are that most of "the users" who's email etc has been compromised also have PC's loaded with malware etc.
As many mathmaticians have shown in the past half decade there is actualy very very little anonymity possible in most comercial DBs even after the obvious "customer details" have been stripped.
So just remember next time you are filling in some form etc not to add your online details you are just putting a big fat target on to "Cover Your A55" and when in there with a few million others somebody is going to come along and put a big boot "center target".
I used to say "welcome to the goldfish bowl" but these days perhaps "Welcome to the Hurt Locker" is more appropriate, because more and more people are finding a world of hurt from their online life...
What I'd like to know is how I'm supposed to be on the watch for suspicious emails among all the spam I get anyway. My spam filters work very well (and I do review them for false positives), and odds are any new spam will be caught by them.
Given that my financial passwords are pretty strong, and not used anywhere else, and that I really don't care about an increase in spam because I won't notice it, I don't think I'm much affected.
So somebody knows one bank I do business with. What are they going to do with that to harm me?
Does it matter if an email address and a name are exposed?
Wasn't this information sold out by Choicepoint? Don't data brokers already sell this information all the time, and then someone uploads that information in a free for all?
It seems like a brute force attempt to try to setup a new app store of identities?
When was the last time it was done?
Well multiple times every year since the past 10 years I have been keeping track ..
Clive put it well, its not a matter of how, but when
So, get over it
I disagree. I think in conjunction with other knowledge based attack tools, this can allow attackers to sufficiently enhance their target mappings. Island hopping between name and e-mail addresses allows an attacker to bind aliases together and cluster different types of attacks against common targets--whose relationships were not obvious without such a dearth of account information as disclosed in Epsilon.
For instance, if Jon Do is email@example.com in McKinsey&Assoc. table ; firstname.lastname@example.org is present in the row with Freddy Jones in Hilton HHonors tables; and our attacker is targetting Goldman Sachs and already knows that Jon Do (email@example.com) works for Goldman Sachs from snooping pi.com for headers matching firstname.lastname@example.org SMTP; but don't know his password, (say some time ago we already had successfully rainbow tabled Freddy's pi.com account), now we have a chance that 'Jon' is actually using his static hotmail password for some GS account. Couple that with the RSA seeds and CP-KIP OTP algorithm (OK, a stretch but...). As attackers, we would have never known that if we hadn't been able to connect Freddy and Jon via the common email@example.com e-mail address.
I feel that adding to the breadth of knowledge on individuals by name|pseudonym|email mapping is the real value here. Not just for 1 org but 50 or more. Who knows how many syndicates running parallel attacks were waiting for the missing links that just fell to the ground with this disclosure?
A good reason to use unique email addresses for each of your "special" correspondents. Just like passwords, unique. A little bit of trouble to administrate, but it certainly isolates the trouble. And, it's trivial to do when you have your own domain.
You can even subcontract the email to GMAIL if you want by repointing a few records.
It also automagicaly detects financial spam, when a message purporting to be from "your bank" arrives on the "wrong email" account.
Wish I could teach this technique to more people.
We could have email "security" even if the ISPs don't want to do IPv6 or email providers, like Yahoo. Who won't authenticate when email arrives from outside labeled as if originated from Yahoo itself. (I even tried to sell them a consulting engagement but they said "it wasn't their problem". With an attitude like that, no wonder we have problems.) The real blame should go to the ISPs and Email Service Providers who don't secure their networks and products.
Ultimately, like most problems, the problem of identity theft winds up at the Gooferment's door. We couldn't have identity theft without their Social Security Number. Which when originally proposed, "NOT FOR IDENTIFICATION PURPOSES". Boy, are we stupid!
Bottom line: Self-defense is the only defense.
Ferdinand John Reinke
Kendall Park, NJ 08824
If name & email address are not valuable, then what was the motivation of the Epsilon attack? I'm assuming the attack was not trivial (anyone know how hard iot was?). So take your pick:
(a) the attack was simple mischief
(b) it was a proof-of-concept for some interesting technique, or
(c) we're all missing something and the stolen data really is valuable.
I think some are missing the point. Epsilon is a third party e-mail marketing firm. No company would have any reason to share any information other than name and e-mail, no sensitive information such as account number and especially not passwords. Some other info that may have been shared would be zip code, age, and other matrices marketing analysts might use for targeted marketing. I would hope that these companies wouldn't even have a way to retrieve passwords considering best practices dictate using password systems that requiring a reset using challenge questions rather than plain text password retrieval. Those whose e-mail was in the effected lists (mine included) are at a greater risk for spam and phishing for a while now. This is why I opt out of marketing e-mails with any account that is tied to a retailer or a financial institution including credit cards. I already know how to avoid being a victim of phishing but I still take the time to opt out anyway.
@Stephen Wilson at April 6, 2011 2:34 PM
Very fair point, but I do see it as both valuable to the attacker but not as big of a risk as one may think to the user.
Admittedly, that is seemingly contradictory.
First, a list of valid email addresses is valuable for spamming and social engineering purposes, and also for dual use risks for those who use the same ID and password for their bank and email.
Second, I think the disclosure to affected parties and encouragement to pay attention to their transactions was probabably the right course of action due to #1.
Third, if someone doesn't use dual use of passwords and accounts, their biggest risk is social engineering or spam. Social engineering was addressed in the disclosure, and spam is just a fact of life easy to delete anyway.
Finally, and what I think appears to be a contradiction but isn't, is that the amount of press is excessive. That isn't the fault of Epsilon or the institutions. They're basically reacting to this worse they have to other more serious hacks.
I was affected by this, and am not very concerned at all, but I see nothing wrong with the cable news cycles' hyperbole in this instance.
The only thing these white collar snow jobs respond to are dips in their bottom line, and bad publicity is pretty much the most effective tool to accomplish this.
If you want big business to start filling up the holes in their technological drywall, you're gonna have to get the press to pounce first.
But wait, there's more!
Dell has sent messages to all their customers in Australia. But other multinationals like Target and Visa say there's no problem here (see http://www.zdnet.com.au/...
Think about it: How do the companies know if customers in any part of the world have been affected? The information at Epsilon must have been organised or tagged in some way geographically. Therefore the attackers also know something about the location of the users in the databases that have been raided.
So already we know it's more than name and email address. For each user, the attackers also know (a) sets of companies which do business with that user, and (b) something about the region they live in.
@Paul & others
No need to buy a domain name to get a unique email to give to each supplier.
Spam Gourmet (and clones) already provide a service that lets you create a disposable email address on-the-fly.
Great for trade-shows as well.
> I have no idea why the Epsilon hack is getting so much press.
Slow news day?
See my response here: http://flashdriveterrorism.com/?p=343
Excerpt: Bruce Schneier has come out saying he has "no idea why the Epsilon hack is getting so much press." He says that these events happen all the time, which is almost an understatement. Schneier points out that even though the hack could have been much worse, and big name companies were affected, it is not, as some are calling it, "the hack of the century." I'm no Bruce Schneier, but I'd like to offer an explanation and its consequences.
Sure, the Epsilon hack was messy. Jonathan Zittrain, co-founder of the Berkman Center for Internet & Society noted that Epsilon security was "lazy" and that customers who opted out of receiving e-mails were still retained in the database, meaning that their e-mails were also compromised. However, I agree with Schneier -- regardless of all the big name companies and the lazy security (the fact that it could have been much worse), it doesn't seem like this should have made such a big impression.
I believe that the reason this has gotten so much press is simply because Epsilon and its customers (Marriott, Walgreens, etc.) have let the information get press. Unlike many corporations who have experienced similar leaks in recent memory, most (all?) of the companies that had information with Epsilon have contacted those on their mailing lists. In 2005, only 20% of respondents in a survey of corporations targeted by cyber attacks said that they had reported incidents to law enforcement. (Janczewski and Colarik, Chapter 3 page 3) Why did so many incidents go unreported? Corporations are afraid of exactly what happened in this case - bad press. Epsilon's parent company, Alliance Data Systems Corp. (ADS) has seen stock prices fall, and there are doubtlessly other consequences for the affected corporations.
There is hope in this event, though. The more clarity and openness that exists in regard to these incidents, the greater the chance that solutions can be found and security will be taken more seriously. If Epsilon had perhaps heard of another similar organization that had this issue, maybe they wouldn't have been so lazy. Additionally, and perhaps more critically, the users of these systems - individuals on the ground level, may take more steps to secure themselves in the future.
@Jerbear et al
"So Easy way to avoid problems such as this...."
As others have suggested you dont even need to cough up for a domain name. Use Gishpuppy, Spamavert etc.
All have different strengths and weaknesses but as they are free there is no reason to no use them all.
For example, if I am signing up to a service I will often use the Gishpuppy address of [servicename].NNN@gishpuppy.com - then when spam starts coming in, I close that account. Spam stops.
Alternatively, when I just need a quick email address that I will never need again, I use [randomletters]@spamavert.com. I check it, get the email and then never look at it again.
So far this has been very effective. It has allowed me to identify which companies sell on email addresses (Classic FM is a good example). It also allows me to bypass tedious requests for personal data from various sites. A recent example is Firebrand training, before they will show course prices you have to give name, email and phone number. I hope their database is full of Joe Blogs using a Spamavert account....
Another "insider hacking crime of the century" not,
It appears that a man who was sacked got on to a secure data site and erased a considerable quantity of material relating to a childrens program "Zodiac Island" apparently atleast a whole season is gone for good...
Not sure what the ins and outs are but the moral appears to be "Don't trust your secure data host service" as sometimes the data is not secure at all...
Hack of the Century?
Watson was pretty cool.
Two reasons this is newsworthy: One is surprise that an obscure service bureau could lose so many third parties' information at once. Within the industry we know who ESPs are, but in the world at large, not so much.
The other is this kind of leak is ideal for spear phishing. When Choicepoint leaked, it was Choicepoint's data, but this leak is Chase, and other banks, so they know which phishes to send which victims. If there's more data than the address, which there apparently is in many cases, all the better, or worse.
I recall that in the case of Hilton Hotels, they had outsourced all of the processing associated with their HiltonHonors loyalty program to Epsilon.
So if you have an American Express / Hilton Honors Co-Branded Credit Card, or if you've pre-registered any other Credit Cards with Hilton to aid Reservations, then those details (Cardnumber & Expiry Date) are also held by Epsilon.
Consequently, although they might not have been compromised by this particular attack, I hope Epsilon are checking them out to ensure they are adequately protected (eg encrypted).
Compromise of the email address from individual entities may not make much difference (everyone has listed potential outcome, spam etc); however combining information or data mining, you may be able to deduct some unwanted/unexpected conclusion.
For example, member of Hilton Honors, Ritz-Carlton, McKinsey Quarterly and Chase – perhaps financially affluent compare to person who is member of College Board, Red roof, Food 4 less and money gram.
Additionally, you may be able to narrow down on state of residency – For example, brick and mortar stores of Walgreens, Kroger is not available in every state. Membership to Eurosport and Air Miles Canada…. You get the point…
Above are just plain examples, so please don’t go in crazy loops in responding on above examples…
It may not the “hack of the century”, but information lost due to this hack can be highly valuable (My $0.02).
"...co-founder of the Berkman Center for Internet & Society noted that Epsilon security was "lazy" and that customers who opted out of receiving e-mails were still retained in the database, meaning that their e-mails were also compromised..."
If that is the case then it appears to be a clear failure to adhere to the UK Data Protection Act legal requirement to only keep data for as long as it is required, which for the UK clients of Epsilion could mean fines from the UK ICO.
@ Ted - Wow, didn't realize the implications of that. Were there many UK clients, and do you think anything will actually come of it?
@Ted... The responsibility for weeding out customers and consumers who opt-out should fall on the first-party company not the marketing company. That was the practice we followed at my prior place of employment and something that I preach to everyone I talk to. The whole reason behind the opt-out is that my information doesn’t get shared with third-party e-mail companies. I do agree that Epsilon has some explaining to do, however there is a shared responsibility among the first and third-party companies involved. I am looking forward any investigative findings, if made public, on exactly what has occurred to facilitate such a data leakage.
While not the hack of the century it is a serious data breach. For anyone supporting a large user base phishing is a constant support problem. Phishing schemes appear to profit on volume. Potentially there could be very successful large volume spear phishing attacks given the breadth and size this data loss.
They sold the hack. Just a theory, but watch their numbers. Makes the moat sense. Valuable info-sold for marketing + breech = $$$
So more revelations about how metadata is leaking more and more PI. Like filenames telling what drugs ppl have inquired about. http://bit.ly/eUmqQZ
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.