Arrests in ESP data breach

The FBI announced today arrests of three people in the ESP data breaches from the compromises of various ESPs a few years ago.
Krebs on Security: Feds Indict Three in 2011 Epsilon Hack
Department of Justice: Three Defendants Charged with One of the Largest Reported Data Breaches in U.S. History
After stealing over a billion addresses from 8 ESPs, the lists were monetized through affiliate marketing. The owner of the affiliate program was one of the people arrested.
More on Monday.

Related Posts

Target breach started from email

According to Brian Krebs the compromise of Target’s POS system probably originated with a phishing attack against one of Target’s vendors. This attack compromised credentials of the HVAC vendor and possibly allowed the hackers entrance into Target’s systems.
Interestingly, Brian mentions Ariba, a company I’ve been forced to deal by a large customer of ours. I’m not sure if there really is an attack vector where a vendor can get access through Ariba to the internal systems of the customers. However, my experience with Ariba has been frustrating and problematic, so I’ll be happy to believe their security is as broken as their email.
Email is a great way to interact with people and companies. It’s great for growing communities and businesses. But it is also a way for attackers to get access to your computer and the websites you interact with. Protect yourself, and your company, by running security software. And, please, don’t open attachments or click on links in emails and provide usernames and passwords.

Read More

Get a helmet

There’s been a lot of interesting reaction to Steve’s security post yesterday. A lot of people seem upset that we have pointed out one of the ways that ESPs may be getting compromised. Complaints range from the message being overly simplistic, through to complaints that we just don’t understand how much of an issue security is, through to complaints that we’re not pointing out that some ESPs actually are secure. Some people have even provided counter examples of how simple it is to compromise any company, so why are we picking on ESPs.
Security is a problem any company faces. Some industries are bigger targets than others, and ESPs have really jumped up the target list. ESPs are getting lists stolen. ESPs are getting reputations stolen.
There’s one ESP I know for a fact that has lost multiple customer lists 3 times. Three companies I get email from are hosted there. When all three of those tagged addresses started getting spam, the only logical assumption was that the ESP was compromised. Again. Those are companies I want to hear from, though, and I changed addresses on their sites after every breach. What’s distressing, though, is the total lack of response from either the customer or the ESP to my notices about the breaches.  To be fair, the problem seems to have stopped more recently.
Silence and refusal to address an issue is a big problem. An address I gave a company on the Only Influencers list was stolen (I’m not going to say leaked because I actually trust them to not have violated their privacy policy) sometime back in early 2011. I didn’t notice right away because my spam filters were catching the mail, but eventually the spammers managed to get one into my inbox. When I saw it, I started checking and realized that address had been compromised a long time ago. I notified the company, with as much history of the address as I could. I ended my message with:

Read More

Michele Bachmann Announces She's Done

U.S. Representative Michele Bachmann (R-Minnesota) announced today that she’s not going to seek re-election in 2014.
Last time around, the race between her and Minnesota businessman Jim Graves was very close. Mr. Graves lost by a very narrow margin. Graves had already announced his intention to take on Ms. Bachmann again next year. As the news came out on Bachmann’s decision, both camps made it clear that they think their person would have won the rematch. Just yesterday, Minnesota Public Radio explained that Graves seemed to be facing “an uphill battle vs. Bachmann.” At the same time, recent polling by the Graves campaign showed him slightly ahead of Bachmann. The race certainly would have been very close, but it was looking to be a scenario much like last time around, which, at the end of the day, Ms. Bachmann did end up winning.
So if she’s got at least a fair shake at winning, why wouldn’t she take it all the way? Well, that’s what brings us to why I’m writing about this here. It seems that Bachmann’s failed 2012 presidential campaign was accused of stealing the email list of Network of Iowa Christian Home Educators (NICHE) back in 2011. In a bit of an attempt to re-write history, they later came to an after-the-fact settlement to label the action a “rental” and NICHE received a $2,000 payment from the Bachmann campaign.
And that’s just one of multiple ethics issues Minnesota’s face of the Tea Party is facing. In March, her attorney confirmed that Bachmann is under investigation by the Office of Congressional Ethics for alleged misuse of campaign funds. One of her own 2012 presidential campaign staffers, Peter Waldron, filed a complaint that Ms. Bachmann’s campaign improperly used leadership PAC funds to pay campaign staff. There were further allegations regarding payment of staffers and attempting to require exiting staffers to sign non-disclosure agreements prohibiting them from talking to police or attorneys. And the FBI is now said to be involved.
I’ve consulted for multiple email service providers who have told me how challenging it can be to work with political senders. At least one ESP prohibits this kind of mail outright, out of frustration with candidates regularly playing fast and loose with permission. PACs, parties, candidates and other groups seem to buy, sell or trade lists constantly, and as a result, spam complaints and blocking would often follow. Thus, it doesn’t surprise me to see Ms. Bachmann’s campaign engaging in something email list-related that they probably thought was just common usage, when the rest of us in the email community would find that use unwelcome and unethical. (And it’s not just her party guilty of this kind of thing.)

Read More