ESET Press Center
Why Does the Epsilon Data Breach Effect All of Us and What Steps Can Companies Take to Prevent This From Happening to Them
Complete Transcript of Interview – Randy Abrams - ESET
Let's Talk Computers Radio Talk Show
Host Alan Ashendorf
April 23 2011
Alan: Everybody has seen on the news about the Epsilon Breach, but most people think it only has to do with big companies; but that's not true. It actually affects all of us. To tell us why, our guest today is Randy Abrams, Director of Technical Education with ESET. Welcome back to Let's Talk Computers, Randy.
Randy: Well, thanks, Alan. It's great to be back.
Alan: Randy, when we see these things in the news, we think, "Oh-oh, another company just hacked into – they should have had better protection." However, this really affects everybody out there, doesn't it?
Randy: It affects a whole bunch of people, because Epsilon is the spam machine for about 2,500 major companies that have millions and millions of customers.
Alan: Most people don't even know who Epsilon is. It's just a name that popped up and it's like, "Oh, that's interesting." They really are the backbone of major companies – I mean, we're talking about Krogers; we're talking about US Bank; J.P. Morgan; Chase; Capital One. We're talking about Brookstone; Target; we're talking about Frye; 800 Flowers; we're talking about Red Roof Inn.
Randy: We're talking about The Hilton Honors; Marriott Rewards, and Disney Vacations – the list goes on and on.
Alan: It's where you eat; it's where you sleep; it's where you shop; it's where you get groceries. All of this is very valuable when you put all of it together and this is where you really are going to have to be on your toes as any company, because this is like a wake-up call for these companies - where they should have had your Heuristics, already put into place.
Randy: This is a whole different ball of wax! We don't know how they hacked.
There is some indications that there was some actually Phishing involved and are getting the employees of this companies of Epsilon and that definitely could have been one of the ways people got in. It's very possible that the employee was targeted and tricked into running malicious software that gave an attacker remote access into the company.
Alan: Now, when you say the "spam run." These are in most cases legit emails that go out with offers and we get offers in our e-mail box and we think that the company, themselves – let's call it "x-y-z company" actually sat down and composed a nice little e-mail to go out. That's there e-mail campaign. Actually they use companies like Epsilon to do all the work for them, don't they?
Randy: Right. They outsource that work to Epsilon. Rather than having a department, internally to write up all these e-mails and manage the customer list and all that stuff, they call a company like Epsilon and say, "Here's our customer list and this is the message we want sent out to them; make it happen," and Epsilon does that.
Alan: But when someone hacks into a company like Epsilon and gets this information, why should we, as consumers be concerned?
Randy: Well, there are a couple of aspects. For one, a lot of the companies were banks, so if someone knows what bank you bank at and the e-mail address that you use at that bank, such is the kind of information was stolen from the Epsilon Data Breach, then they can be in a much better position to try to phish and try to send you an e-mail to convince you that there's really a problem with your bank account and you have to cough up information that you don't have to.
This makes phishing attacks much more targeted and much more effective.
Alan: We've been talking about "phishing attacks," and that's spelled "ph," not fishing, like you're going out and "fishing" off a pier, but it's very similar, isn't it? What, exactly is phishing?
Randy: Well, a phishing attack usually involves e-mail, although it can involve Instant messaging; Facebook messaging and what happens is you get a message that is designed to trick you into giving up information that you can then use to steal your account; steal you bank information; empty your bank accounts or even perhaps perform identity theft.
Alan: But, now they are going to start using what they call, "spear phishing" and how is spear phishing and phishing different?
Randy: Think of phishing as throwing a net out in the water and grabbing up all the fish you can, whereas spear phishing is that you are aiming for a specific fish. So, when we're talking about spear phishing in computer terms, we're talking about a targeted attack.
So, I've gotten e-mails before, saying my account with "x-y-z" bank has a problem and I have to give up this information, but I don't bank with that bank, so this is just a "throw the net out there an see who we can catch."
But, with spear phishing, and that's what this data breach enables, the attacker knows that, "Yeah, I do bank with that bank." The hacker knows that is the e-mail address I use in conjunction with that account. So they are able to make a very targeted attack against me, and not just one of those fish out there in the net. They are aiming their barbs exactly at me.
Alan: I used to tell everybody that "It's not personal; it's not really going after you. They are just basically sending out millions of e-mails or millions of spam; it really has nothing to do with you; if you just happen to fall into the net, well that's the way it's going to happen." But this is personal! This is actually targeted to a particular person.
Randy: Well, yes and no. So what happens is the bad guys, let's say get a hold of these Epsilon lists and let's say they get a hold of the list of customers for City Bank. They are not going to sit down and say, "Well, this is that person and here's their e-mail address and we want to go get into their account."
What they're going to do is they are going to write a program that's just going to take all those e-mail addresses and say, "We know it goes with this bank account, so this is the e-mail template we're going to use and we're just going to send it to all these e-mail addresses." It is more targeted; but it's not like they were picking you personally. It was that your name just happened on that list of people.
Alan: Because I always use a separate e-mail account, say for my bank; for Amazon; for PayPal, instead of the one that' widely known for Let's Talk Computers or Total Solutions. That way I know that it's actually coming from Amazon or it's coming from PayPal or it's coming from my bank, because they use the little catch phrase that I purposely put inside of my e-mail address, I know, "Yep, it's me and that's the legitimate, because nobody would have this." But this basically throws that out the window, doesn't it?
Randy: Well, that's a mistake to every assume nobody else has an e-mail address, because there are ways that they get it, even if you only use it for your banking. E-mail addresses have a way of getting out there, so it's a mistake to ever think that that's the only way it could ever be seen. Yes, this cuts right through the noise because they know exactly which e-mail address you use.
Alan: Epsilon, being such a big company, I mean they send out 40 billion e-mails annually and they also have over 2,500 clients. They should know better and they should actually have put in protection, shouldn't they?
Randy: That's impossible to say, because they haven't furnished details of how the breach happened. We really don't know what levels of protection they were trying to take, whether or not it was appropriate. No matter what you do, if someone is going to be attacking you, they can get at you. This could have been an inside attack.
One of the interesting things is that there is a lot more value than just phishing runs from this data; there's huge marketing value in this, because what happens is this sensitive data that can be sold to people that can say that, "Okay, this e-mail address shows up at least 12 different companies.
Now, we've got lifestyle profiling and that kind of information is extremely marketing information. So, the breach could very well have been marketing driven, as opposed to phishing driven.
Alan: What is ESET doing about this? I know you have been studying this very closely and what are you telling businesses what they need to do?
Randy: Well, ESET is only a part of "defense in-depth" approach and we will do things like help protect your computers against keystroke loggers and other malicious software, so if one of your employees gets phished and gets tricked into downloading some malicious software then we're designed to try to detect that malicious download and block it so it doesn't get onto your network.
That's just one of the layers of defense. You're talking about a much bigger problem when you're talking about things like Epsilon data breaches than simply anti-virus software that's just one component of it.
Alan: But this where you need something like your heuristics, because it used to be well, this is a virus or this is a Trojan horse or this is some known attack and there's enough of it out there where you can send out a definition file and that's what a lot of these anti-virus programs do.
Here, you are going to see a lot of one-on-ones, where you may never see that particular attack again and your heuristics stops a lot of this, doesn't it?
Randy: Right. You know, we're looking at behavior, so we're trying to identify threats that we've never seen before, based upon their behavior. There are so many new threats being developed every day that nobody can keep up with it, with a signature-based approach, alone and so the heuristics become an important component in helping to defend against these new threats.
Alan: What are we looking at as far as the cost of ESET Smart Security and ESET NOD32 software?
Randy: That can depend how many computers you are buying it for and how long you are buying it. For one PC a one-year subscription is $59.99. If you buy a two-year license then its $89.99, which saves you 25%. There are other discounts like for two PCs; the one-year license is $69.99, where one PC is $59.99. Again, there is like a 25% discount going with two years.
For the ESET Smart NOD32, which is just the basic anti-malware; anti-spyware; anti-adware; anti-virus; anti-trojan; anti-rootkit, the malware protection. The one-year license is $39.99 for one PC. It's $59.99 for two PCs. For one PC a two-year license is $58.99.
You can go to http://www.eset.com and look at the products and there is a breakdown. You can contact ESET if you are a corporation using more than four PCs to find out volume pricing for your corporate needs.
Alan: And you have different flavors, that are not just for PCs, don't you?
Randy: Exactly. We make protection for not only Windows, but also for MAC. For a long, long time we've had ESET NOD32 for Linux machines. We also provide protections for Exchange Servers.
ESET also has mobile malware protection. We don't currently support the iPhone or the Android, but we cover Windows Mobile and Symbian devices. If you haven't looked recently at product offering, take a look at http://www.eset.com. We've got a nice range of products there.
Alan: And you also have Trialware. These are full-featured Trialware. You don't strip them down and "Try it and if you see that it's taken a virus out then you pay me for it." These are full-featured Trialware, aren't they?
Randy: Exactly. It's the full product with, essentially a 30-day license. Anything that our regular product can do your demo product can do – because it is our regular product! And then if at the end of 30 days you decide that you want to purchase a license you don't download new software. You get the license key and use the same software you downloaded because it's fully functional. It's just like having a 30-day license so that you can evaluate the software and try it and see if it's what you like.
Alan: And during those 30 days, you get full updates and sometimes you send out updates daily to make sure that we're protected, don't you?
Randy: Usually there's at least a few updates a day so it's pretty rare that a day goes by that doesn't have at least one update and generally there's two to four, sometimes more. It depends on what's happening. Trial software gets updated just like the regular software because it is the regular software. It's just a time-limited trial.
Alan: You mentioned that education is the key and I know on your Website you have all types of White Papers, talking about viruses and different ways that can infect your computer system and you also have copies of all the transcripts that we have done together.
Alan: You mentioned at education is the key. And I know on your Website you have all types of White Papers, talking about viruses and the different ways that they can infect your computer system. You also have copies of all of the transcripts that we have done together!
Randy: These are excellent resources that people can use to educate themselves and learn more. We also have the blog and just recently I started a series about Adobe Flash, because a lot of people don't understand that Adobe Flash can seriously compromise your privacy. If you go out to our blog, you can also learn a lot more about a variety of different threats and how to deal with them.
Alan: And if I want to find out more information, what Website should I visit?
Randy: Come visit http://www.eset.com and also for educational purposes, check out http://www.securingourecity.com. This is an effort that that ESET and several companies, private and public are providing to simply provide education.
When you go to http://www.securingourecity.com, Website you are not going to get product pitches; there's no link to buy here – it's pure education!
Alan: Randy, it looks like we've run out of time. Thank you for taking the time in talking to us about the latest data breach. This won't be the last one, I know and I look forward to having you back on Let's Talk Computers real soon.
Randy: Well, thank you, Alan. It's been a pleasure to be here today.
