Archive for Epsilon

April 4, 2011 – Episode 207

Posted in Breach, criminal forensics, darkweb, ediscovery, eMail Security, The CyberJungle, Vulnerabilities, web server security with tags , , , , on April 4, 2011 by datasecurityblog

Episode 207 of  The CyberJungle is about 48 minutes long.  You can hear it by clicking on the flash player below. You may download the file directly – great for listening on many smartphones. Or, you may go to the listening options page and browse for other ways to hear the show. The interviews start at about the 26:30 mark.

To listen to Episode 207 via the flash player:

Interview

Rob Lee, of the SANS Institute and Mandiant: Defining the Advanced Persistent Threat(APT)

Our Take on The Week’s News

The Epsilon breach, read more in two blog postings at The CyberJungle, here and here.

News on the causes of the RSA breach, read an in-depth blog report from RSA/EMC

Pornwikileaks and a Health clinic under fire for alleged release of porn actors’ personal information. NSFW: Pornwikileaks

Tales from the Dark Web

If you don’t understand this basic cyber crime concept, you better figure it out this week, because there is a large-scale attack underway. The Websense link to the blog posting and video Ira mentioned.

Wrap

Cell phone panic button app sends emergency alerts

Hello McFly….Epsilon Breach Shows Cybercriminals Has Moved Way Past ID Theft

Posted in Breach, criminal forensics, ediscovery, eMail Security with tags , on April 4, 2011 by datasecurityblog

Major media outlets around the globe are giving greater coverage to the Epsilon data breach story today.  This might be the biggest breach of non-regulated PII (personally identifiable information) in US history. Read more in on the story in this CyberJungle posting Sunday night.

Typically, the mainstream media has focused on Personally Identifiable Information (PII) ID theft: credit card breaches, financial account information theft, and healthcare data breaches. There has been little attention paid to business data theft, by the media, pressure groups and many of the businesses that house the data, since business data is not typically regulated like PII is.

This might be a watershed moment when the attention is shifted to business data. According to a report released last week by McAfee/Intel and SAIC, “…cybercriminals have made the shift from stealing personal information, to targeting the corporate intellectual capital of some of the most well-known global organizations. Cybercriminals understand there is greater value in selling a corporations’ proprietary information and trade secrets which have little to no protection, making intellectual capital their new currency of choice…”

The focus of attention in the Epsilon story is consumer data. Big story number one not yet getting much attention: the wide-spread theft and re-sale on the digital black market of business intellectual property like trade secrets, technologies, sales data, price lists, key customer contacts, manufacturing processes, software code, salary info, and more.

Another big story not getting much attention: contrary to the spin from data collectors and pressure groups, the biggest data risks associated with the collection of consumer information is not that the data collector will sell the data to another firm. The biggest risk is that the data these data collectors will end up in the hands of cyber criminals, a government agency, or become part of damaging civil litigation, all risks that can cause much great harm.

The CyberJungle Radio program that will post Monday, will cover this story and other news about security, privacy and the law. Other stories we are covering include the wide-spread SQL injection attack; a new panic button smart phone app: and an in-depth look at the Advanced Persistant Threat (APT) with Rob Lee of the SANS Institute. Listen to Episode 207 at TheCyberJungle listening options page.

Posted by Ira Victor

Ameriprise Financial Customers Exposed in Massive Marketing Firm Breach

Posted in Breach, criminal forensics, darkweb, eMail Security with tags , , on April 3, 2011 by datasecurityblog

Ameriprise Financial has joined a growing list of large companies annoucing that their customers were exposed in data breach at marketing firm Epsilon. The CyberJungle has learned that Ameriprise Financial notice sent a notice to customers Sunday evening, reading, in part:

We were recently notified by Epsilon, an industry-leading provider of email marketing services, that an unauthorized individual accessed files that included some of our client and consumer information. Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this.

You are receiving this because you have in the past received a communication from Ameriprise. If you receive an email that appears to be from Ameriprise asking for personal or financial information, do not respond. Instead, please immediately forward the email to us at: anti.fraud@ampf.com.

The notice gives general recommendations, including using anti-virus and anti-spyware software, not to send financial information via email, to be cautiious about pop-ups, and to “Use caution when opening attachments or downloading files from email.”

Among the other high-profile companies whose customers were exposed by the breach of Epsilon Marketing’s information systems are Citi, Kroger’s Marriott, Walgreens. A recently updated list is in this SecurityWeek.com story.

In a separate Epsilon statement last week the marketing company said “an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s systems. The information that was obtained was limited to email addresses and/or customer names only.”

Epsilon’s “about us” section says, in part, “ …We offer a full range of marketing services to help you [businesses] connect with them [customers] anytime, … This full-brain approach has earned us numerous accolades…” The Epsilon web site has a security policy which states, in part, “We protect information we collect about you by maintaining physical, electronic and procedural safeguards. All information is secure and may be accessed only by key staff members of Epsilon.”

The CyberJungle take: It appears that Epsilon may not have been using a “full brain” approach in protecting information assets. The thrust of their statement is: The attackers only took customer names, email addresses and the names of companies the customers do business with, so there is not much of risk of harm.  The risk of harm is that social engineering attacks, phishing attacks, and other attacks could be launched against customers. Users are more likely to respond to a message from, say, Walgreens, if in fact they are already a customer of that store. As social engineers have shown, once trust and rapport is gained, an attacker can do significant harm. There could be wide-spread consumer harm, extending to employer data, since many people give a work email address for these services. Security and human resource administrators should consider holding a staff training meeting to help protect the information assets of the business, and protect the staff members from personal cyber attacks that could hurt worker productivity.

The CyberJungle Radio program that will post Monday, will cover this story and other news about security, privacy and the law. Other stories we are covering include the wide-spread SQL injection attack; a new panic button smart phone app: and an in-depth look at the Advanced Persistant Threat (APT) with Rob Lee of the SANS Institute. Listen to Episode 207 at TheCyberJungle listening options page.

Posting by Ira Victor

Follow

Get every new post delivered to your Inbox.

Join 1,139 other followers