Shostack + Friends Blog Archive

 

How the Epsilon Breach Hurts Consumers

Yesterday, Epsilon and Sony testified before Congress about their recent security troubles. There was a predictable hue and cry that the Epsilon breach didn’t really hurt anyone, and there was no reason for them to have to disclose it. Much of that came from otherwise respectable security experts. Before I go on, let me give kudos to Epsilon for coming clean, because, in fact, the breach does hurt me. I want to explain both how it hurts me, and how covering it up would compound that harm. To understand, let me explain part of..

How I protect myself against phishing

I do a variety of things to protect myself from phishing attacks, including bookmarking my banking web sites, and setting up special email addresses that are only given to a single business. For example, Capital One (an Epsilon customer) might think that my email is cap1-814406d6fa52c5317aa@example.com. Now, any email that comes to that address has some special properties. I know that either it came from the expected sender, or there’s been a breach of confidentiality at the sender, the intervening network, or on my systems. In that sense, these addresses are honeytokens. In many instances, the entities I’m working with use opportunistic TLS for email, and so I can be confident that it’s not passive sniffing of the intervening network. Now, since I have technology that makes it easy to see if an email went to the right address, I can ignore most emails claiming to be from financial institutions. I save a great deal of time and energy that way. But for the emails that come into the special mailboxes, I can also save time by going with the assumption that they’re ok, because this defense tends to work.

How the breach hurts me

Since Epsilon was good enough to bring up the breach, and Capital One was good enough to contact their customers, I’m aware that my defenses are less strong than they otherwise would be. I have to expend more energy than I otherwise would have reading URLs in messages in that folder. If the breach had been concealed, then I would be naively vulnerable. I would be vulnerable because respectable experts hadn’t thought about this scenario, and had naively decided that I didn’t need to know about the incident.

The Limits of Expertise

This is one example of the limits of experts to understand the impact of breaches on consumers. There are doubtless others, and we should be willing to question the limits of our expertise to fully understand the impacts of breaches on everyone. We should also question our expertise to decide for them what’s best for others.

Breach Fatigue?

Now, some people will argue that there’s “breach fatigue”, and that that means we should select for others which incidents they’ll hear about and which they won’t. While I agree that there’s breach fatigue, that’s a weak argument in a free society. People should be able to learn about incidents which may have an effect on them, so that they (and I) can make good risk management decisions. We don’t argue against telling people that there’s lead paint on Chinese toys even though much of the damage will already have been done by the paint that’s flaked off. We don’t argue against telling the public about stock trades by insiders even though only a few experts look at it. We as a free society encourage the free flow of information, knowing that it will be put to a plethora of uses.

This is just one of the many reasons why I support broad breach notification.

There are some technical details after the break.The break>

So, how this works in practice. The actual procmail I use looks a lot like this. Domains and addresses have been altered.

:0:
* ^To: cap1-814406d6fa52c5317aa@example.com
capital-one

:0:
* ^To: boa-ed218d18fbf844d677970@example.com
bank-of-america
# I don't think Bank of America uses Epsilon; I want to illustrate the one-off nature of the addresses

So can you do this? If you have access to a domain and procmail, it’s easy. Setting those up is a fair amount of work. You could do something similar with “+ addressing” which some mail providers support, but some web developers break your ability to enter a + in an email address, mistakenly thinking it blocks SQL injection. You could also use a unique address (sdhjfdslfh237232@yahoo is still available!) and check each regularly, but that’s probably more work–one of the nice things about the procmail solution is that it integrates seamlessly into my personal email flow. [Update: If you don’t have a domain, see Kurt’s comment. I wasn’t aware that businesses that did this exist. Note that using them like this adds a party to the trust list.]

Now, I could do more. I could check DKIM signatures before depositing the mail, which would break the ability of the Epsilon attackers to fake me out, and maybe I will. I could do other consistency checking a la tofu. But I wouldn’t have thought about it without knowing about the breach. And in fact, I think this method works incredibly well without that. As long as we have breach notification.

3 comments on "How the Epsilon Breach Hurts Consumers"

  • kurt wismer says:

    if you don’t have a domain, don’t want to risk the unreliability of “+ addressing” (or the fact that “+ addressing” is easy to find and strip out of email address databases automatically), and don’t want to put in the work to create a new yahoo email address every time and then check them all individually, may i suggest a dedicated disposable email address service provider.

    there are a wide variety of them out there. some have very useful properties for this context, like forwarding incoming mail to your real email address, the ability to create new addresses on the fly (without going to the site), or even countermeasures for domain filters.

  • Simon G says:

    Actually, in a way, it’s your defense that makes you vulnerable. I don’t do any of that, I just use my regular email address. But: I automaticlly work from the assumption that the email is a fake until proven not, by examining it carefully. If you have defences that lull you into a false sense of security then nondisclosure hurts you, because you’re no longer as suspicious of mail as you should be.

    I not a customer of anyone that uses Epsilon, but it doesn’t really matter. I outright just don’t trust any email that appears to come from any institution I deal with.

    Bookmarking URLs is good though. If you always use those rather than clicking the click here link in the email, you should be fine (absent malware or other having got you already, in which case, well, you’re got already).

    • Adam says:

      I’m going to vehemently disagree with your claim that “it’s your defense that makes you vulnerable.” The vulnerability is in the organization, not my email reading. We need to recognize and treat this as an externality, not blame the victims.

      My normal course of action allows me to optimize my time, rather than accept the transfer of risk and the claim that I need to spend minutes per email deciding if it’s ok to act or not.

Comments are closed.