Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.
I know a lot of people are putting all their eggs in the 2 factor authentication (2FA) basket as a solution to the recent breaches. Earlier this year, however, RSA had their internal systems breached and unknown data was stolen. Speculation from a lot of sources is that the information stolen from RSA by the attackers could be used to infiltrate systems protected by 2FA.
Today I, Cringely reports that a very large U.S. defense contractor may have been breached despite protection by SecurID. Anyone who has been around folks that work for defense contractors, or even just people with security clearances, knows that security and secrecy becomes second nature. They are naturally suspicious and careful, particularly when interacting with secure systems.
What should really concern anyone thinking about implementing security is that the defense contractor’s security folks implemented extra security after the RSA breach, but someone still managed to infiltrate their systems.
Whatever happens with RSA and the defense department, it’s pretty clear that 2FA is not a panacea. And even when we’re talking about security experts, including defense contractors and RSA, hackers can still get into their systems.
Many of the compromises start with spam linking to payloads. In fact, just last night another email expert had their gmail account compromised, resulting in virus being sent to multiple mailing lists and individuals. Some of the compromises happen through Facebook with links that fool people who should know better.
Security is critical for everything on the internet. But recently the attackers seem to be gaining the upper hand over the defenders. When even the experts are compromised, what chance does the average user have?
UPDATE: Reuters reports that the defense contractor was Lockheed.
The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.
You’re going to be seeing a lot of discussion about email addresses stolen from ESPs in the next few days, if you haven’t already. There are a lot of interesting things to discuss about that from an email perspective – from “Why two factor authentication isn’t a magic bullet.” to “And this is why corporate spam folders can be a major security risk.”
We could have fodder for blog content for weeks!
Right now I’m just going to look at one of the reasons why it’s worth stealing a list of email addresses from an ESP or a list owner, rather than just gathering them from other sources. That is, why the ESPs and list owners are high value targets beyond just “that’s where the email addresses are“.
If you steal a list of addresses from a list owner, or a bunch of lists from an ESP, you have one very useful extra piece of information about the recipients beyond the usual name-and-email-address. You know a company that the recipient is already expecting to receive email from.
That means that you know someone you can pretend to be in order to get a recipient to open and respond to a malicious email you send them – which will make an attempt to phish someones credentials or compromise their computer via email much more likely to be effective.
A good example of targeted phishing for credentials is the online game World of Warcraft. There’s a huge criminal underground that makes real world money by selling game money to players. The main thing the gold sellers need to have to be able to acquire game money, advertise their services to players and to give game money to players in return for dollars is an endless series of World of Warcraft accounts. Blizzard, the World of Warcraft owner, work reasonably hard to squash those accounts and make it slightly tricky for the gold sellers to sign up for them, so stealing account credentials from existing users is a great way to get them. And you can also strip those accounts bare of in-game possessions and gold in the process.
Some of the phishing is done in the game itself, where you know that everyone has an account you can steal if you can just get them to visit your website and compromise their machine…