Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.
I know a lot of people are putting all their eggs in the 2 factor authentication (2FA) basket as a solution to the recent breaches. Earlier this year, however, RSA had their internal systems breached and unknown data was stolen. Speculation from a lot of sources is that the information stolen from RSA by the attackers could be used to infiltrate systems protected by 2FA.
Today I, Cringely reports that a very large U.S. defense contractor may have been breached despite protection by SecurID. Anyone who has been around folks that work for defense contractors, or even just people with security clearances, knows that security and secrecy becomes second nature. They are naturally suspicious and careful, particularly when interacting with secure systems.
What should really concern anyone thinking about implementing security is that the defense contractor’s security folks implemented extra security after the RSA breach, but someone still managed to infiltrate their systems.
Whatever happens with RSA and the defense department, it’s pretty clear that 2FA is not a panacea. And even when we’re talking about security experts, including defense contractors and RSA, hackers can still get into their systems.
Many of the compromises start with spam linking to payloads. In fact, just last night another email expert had their gmail account compromised, resulting in virus being sent to multiple mailing lists and individuals. Some of the compromises happen through Facebook with links that fool people who should know better.
Security is critical for everything on the internet. But recently the attackers seem to be gaining the upper hand over the defenders. When even the experts are compromised, what chance does the average user have?
UPDATE: Reuters reports that the defense contractor was Lockheed.
I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists. These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.
The Online Trust Alliance has published a security framework for ESPs.
Overall, I think it’s a useful starting point. I don’t agree with all of their suggestions. Some of them are expensive and provide little increase in security. While others decrease security, like the suggestion to force regular password changes.
I think the most important part of the document is the question section. The key to effective security measures is understanding threats. Answering the self assessment questions and thinking about internal processes will help identify potential threats and their vectors.
The document is not a panacea, and even companies that implement all of their recommendations will still be open to attacks from other avenues. But it certainly is a very good way to open the security discussion.