Introduction to Security by Brandon, deliverability engineer

Transcription

1

2 Introduction to Security by Brandon, deliverability engineer We re a paranoid bunch at MailChimp. We proudly wear tinfoil hats, we have secret hideout rooms with steel walls, and we have fireman poles and slides throughout the building for quick evacuation. We also have at least 24 rottweilers with freakin lasers on their heads. We d go into more detail, but let s just say that security is a serious matter at MailChimp. We take it so seriously because our customers shouldn t have to worry about their data. We spend a lot of time talking about bad guys and acting like bad guys, to figure out how they think. Our team invests a lot of time and money into writing code to protect ourselves and our customers, and we have lots of software and hardware to protect our infrastructure. Our security methods are there to help keep you safe but when it comes to protecting yourself and your subscribers, you have some responsibilities of your own. In this guide we ll cover how you can protect yourself, what to do if your data has been compromised, some basics on why an attacker might target you, and why data is important in the first place. We hope this guide scares you into taking some precautionary measures to ensure your data is safe.

3 According to the Ponemon Institute, the value of a customer record is $204 in the US. For some people the value is much higher, and for others it s much lower. Some people use the simple dollars earned divided by list size equals dollar-per- value calculation. (So if you made $120,000 off your campaigns and had 5,000 subscribers, then each subscriber is worth $24.) Though some are worth more than others, that calculation shows you how valuable addresses are. And even if you re not earning money off your subscribers, there s great responsibility in protecting the addresses they provide. Hackers want those addresses because they know how to extract and extort money from unsuspecting people, tarnish your brand and cause some serious financial hassles for you. If you and your service providers aren t taking the proper precautions to protect your customers data, then you re doing a grave disservice to your business and subscribers. *ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER This guide is intended to serve as a resource on the topic of security. It is not intended as professional advice, nor is it a complete compendium of the information available in this area. The Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the information contained within. Use of the information contained within this guide is entirely, completely, definitively, absolutely, positively, 100% at your own risk. If you have questions or need specific advice for your situation, please contact a knowledgeable professional.

4 How to Protect Yourself You can never be too cautious when it comes to protecting yourself, your business and your valuable data. Here are some tinfoil-hat tips. 1. Keep ALL of your systems completely up to date. Not just your operating systems, but your browser, Adobe Reader, Java, flash, etc. These ancillary applications are generally the most problematic and easiest to hack. Keep your anti-virus programs up to date, and if possible, use anti-virus software that has a firewall or at the very least malware protection. Try something like Comodo. 2. Run anti-virus and malware scans daily. As in, every single day. 3. Secure your networks and wifi. Do NOT allow employees to use their home computers, guest computers, smartphones or ipads on your network. Secure your wifi using WPA2 or stronger. If you have mobile workstations inside or outside your networks, never use insecure wifi, like your local coffee shop s connection. If you must use this type of connection, keep your usage to an absolute minimum...read up on Firesheep to learn how much information gets transmitted on an open wifi connection.

5 4. Secure your smartphone with a password or security lock. If it s stolen, call your provider immediately and disconnect your phone. Passwords are extremely important when it comes to security. Use different passwords for every site you do business with...do NOT use the same password twice (see: Twitter Spam Attack Tied to Gawker Security Breach ). Each site should have a unique password. Consider using 1Password, KeePass or a similar utility to help keep track of all your passwords. Keep in mind that if someone steals your computer or gains access, they can steal your password database. So make sure your master password is unique and difficult to guess. Use at least 10-digit passwords with numbers, letters, symbols as well as different cases. If you use the same password everywhere, it s extremely easy for an attacker to try your username and password at each and every site they re after. 5. Use a single machine for financial transactions. It shouldn t be used for anything other than banking, and should only be connected via a wired connection. Don t keep this computer powered up unless it s being used. 6. Be careful what information you share publicly. If you re interviewed for something that will be published online, make sure you don t mention software vendors or business vendors you use, unless you can be 100% sure that your software and business vendors will not be hacked. 7. Never open , IMs and social-media notifications from people you don t know, haven t heard from in a long time, or look suspicious. This type of communication is often malicious, so skip it to be safe. If you re unsure, don t reply to the communication, and call the person for confirmation. Assume everyone is compromised.

6 What to Do If You Get Hacked Hopefully you re protecting your data like a champ and nobody s after you. But if you do get hacked, here s how to handle it. 1. If it s a virus or malware on a machine, disconnect ALL machines from your network immediately. At this point it s best to involve a local IT company or consultant who s trained in removing malware. Don t turn on any systems until the threat has been completely removed. If you must get to a system, make sure it s not on the internet, and assume that anything and everything on that system is infected. 2. Change all passwords, and security questions and answers that may have been affected. Make sure you do it from a secure machine if you change passwords on an infected machine, you re giving the attacker all the info they were after on a silver platter. Use a secured network that you trust. If your systems were hacked, don t trust your network until all machines have been given the all clear. 3. Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account. Also ask them to lock your account from further access if you feel the account is what the attacker was after, or if the account is important enough to lock down. 4. Check your . Ensure that there s nothing in your deleted items that relates to communication with your service and software providers. 5. Notify your friends, clients and business vendors that you were compromised. Let them know that they shouldn t trust further communication from you until otherwise noted.

7 The Hacker s Life Discussions about hackers usually end with, Why don t they just get a job? The truth is, hacking is their job, and they often make good money (or enjoy what they do). The laws in many countries are lax enough that cybercrime isn t considered serious, or there s just so much other bad stuff going on, it doesn t bubble up. Many countries even overlook this behavior because the criminals pay off and support government officials. The book Fatal System Error by Joseph Menn goes into more detail about that. Whether someone is paying government officials, or the laws just don t apply, it really doesn t matter. These criminals exist, and they re out to get any and all information they can. So why do they want your data? 1. To target your personal and/or business finances. Stealing financial account information is easy these days. It s even easier, and far more useful, to steal credit card information. 2. To target your computers and technology infrastructure. Botnets allow an attacker to use many machines to attack other machines, steal information and commit various other acts of evil. Once the hacker controls your computer they can: Log every keystroke you type. The software that records the keystrokes is even built to show fake login pages for financial institutes to log your credentials. Steal information from your hard drive. The attacker owns your machine and can get at any piece of data they want. Stealing your accounting database and cracking the username and password shouldn t take more than a few Google searches. Use your system to send SPAM. The majority of SPAM is sent through systems controlled by botnets. If your system is under the control of a hacker, they can send hundreds of thousands of pieces of SPAM from your system without you ever knowing it. 3. To target your customers. Maybe you have some high-profile clients that the attacker is after. Maybe a client is listed on your site or sent an issue via Twitter. It s easy to figure out who your clients are, and it s an easily accessible entry point for an attack.

8 4. To target employees. A hacker can easily target your employees using social media and direct attacks. It s easy to find ways to get at your employees, like using family members, college or high-school friends found through Facebook. If an attacker targets one of your employees, he can gain insight into your business practices and target your entire company. All attacks are planned. There s an end goal, and because this is the attacker s job, he spends lots of time planning and plotting every step. Just like that new promotion you planned in November, the attacker planned the malicious attack on your Social Media Manager. Many people think hackers don t put much thought into attacks, and while the 419 scams and bad spelling in most SPAM might make you think hackers are stupid, that s far from the truth. In the book Social Engineering: The Art of Human Hacking, Christopher Hadnagy provides information on how much effort a hacker will put into planning and executing an attack. It s like a chess game but unfortunately, most of the targets have no idea they re part of the game. If you have any type of online presence, then you are, have been, or very shortly will be under attack. So you must behave like you re under attack and secure your assets at all times.

9 Is Gold addresses are extremely valuable in today s economy. Referencing back to our quick calculation in the introduction, you can see that an address can be worth a lot of money to your business. Our identities, important accounts and vital information are attached to addresses. Chances are your financial institutions use your address as your username. Your social media accounts, like Facebook and Twitter, tie to your address. Your address is a unique identifier but more importantly, it s a communication mechanism. We use to transmit all kinds of important information, and we use more and more each day. Evil hackers want the accounts for various reasons. This is just a small list of some stuff they might be after: Hackers have found that companies who use ESPs generally have clean lists. A clean list means fewer bounces and potentially an engaged list. And that means the list will deliver to the inbox and have a higher likelihood of clicks and opens. The hacker wants your addresses to send your subscribers malicious stuff. Maybe your list has important users like congress members. If they can trick your subscribers into clicking links and visiting bad sites, they can then gain access to machines they were targeting. The hacker is planning a much larger attack and is just harvesting addresses. The hacker is planning to resell your subscribers. Know that lists used by marketers often have highly engaged readers and good addresses. If the hacker wanted to target your customers, they could easily imitate your campaign content and trick your users into following a link to a malicious site. Chances are, the engaged readers will click like they normally would. The list is valuable to you, but it s just as valuable if not more so to the hacker. There s also a large market for buying and selling addresses. So not only can the hacker use the addresses for direct attacks, but they can then sell the addresses to a list broker for further gain. Think that through the next time someone approaches you about selling a list chances are most of the addresses were gathered unethically.

10 How an Attack Works Remember, the hacker has an end goal. In this section we ll build a scenario and walk through how an attack is planned and carried out. Let s say your site is a popular foodie blog. You have a cool newsletter signup on your site, and you allow people to comment on your blog. Somewhere along the way, you were interviewed on a food website about how you handle your business, and most importantly, your marketing. You told everyone that you use this really cool newsletter service called MiamiMail, that you have 280,000 subscribers, and the list grows by 2,000-3,000 subscribers a week. It s so much to maintain that you hired Debra, a social-media expert, Quinn, an -marketing guru, and Vince, a programmer who works with the MiamiMail API. You also talk about your guest bloggers and some of the famous chefs that actively participate on the blog and answer questions in the comments. You just built this great new recipe section, where the same famous chefs comment on the posts. Arthur is a hacker, and he s just come off a series of attacks against major car dealers. He wants to change things up and reads the article about your site. It piques his interest because you gave some specific details. Here s what Arthur knows about your business: 1. You use MiamiMail. 2. You have a substantial list, and it s growing quickly. 3. Arthur knows about at least four people in the company: Debra, Quinn, Vince and you. 4. Arthur also knows some famous people who use your blogging tool. 5. Those famous people participate in the recipe section. Arthur takes this data and begins to research the following: 1. MiamiMail. Find out anything and everything out about them. He trolls the support forums, signs up for a free account, learns about the API and even experiments with the system to send a few test campaigns.

11 2. Your company s About page. That really cool Team page came in handy! Arthur finds a few other employees and then begins researching your employees and building profiles for Debra, Quinn, Vince and you. He finds your Twitter, Facebook and LinkedIn profiles. He also finds out your home addresses, personal accounts and a few other pieces of information he purchases using some stolen credit cards he got from that car dealer scam he ran last week. 3. The famous chefs. If Arthur can t trick your employees, he might be able to trick one of the chefs and maybe gain some access to the blog. Over the years we ve seen SPAM grow in maturity...spam has moved from poorly spelled 419 scams, to simple phishing scams, and now we see smarter and more targeted SPAM and phishing attacks. Hackers have exposure to tools, data and blackhat ESP systems that allow them to run sophisticated campaigns against targeted victims. We see hackers use levels of sophistication beyond what most marketers use, like advanced segmentation, dynamic content using conditional merge tags, and combining other data sources to target recipients more effectively. With combined data sources, they can effectively attack your employees and users. If the attacker can t obtain enough information, there are sites where a few dollars can provide them with just about anything they want to know. Just as you read your campaigns results, the hacker is using reporting data from their malicious software. When they launch an attack, they use the stats to tweak and refine future attacks. Arthur builds his campaign to drive his victims toward a site or series of malicious sites. These campaigns allow him to learn more about the computer systems involved, gain access to the owners system, or even worse, damage your infrastructure as a whole. He won t just target employees he ll target business associates, family members and friends. Arthur may even use a series of campaigns to learn more information or gain access to specific computer systems.

12 So what is a malicious site? Years ago someone would receive a virus in an , click it, and get infected. Those tactics are still used, but these days most attacks use driveby malware. The basic idea is that you visit a site that the hacker controls. They ve embedded some javascript or code that runs and infects your system. You didn t have to click anything you simply visited the site and got infected. If Arthur plays his cards right, he ll infect the right machines. Even if he doesn t get to the systems he wanted, he ll use the other systems to learn more information or attack elsewhere. And what does an infected machine provide Arthur with? Malware infections can include keyloggers, remote access and access to all the data on your machine or network. Once infected, Arthur has unfettered access to your information. Keyloggers allow him to watch all your keystrokes. Yes, EVERY keystroke. Malware is designed to run without you ever knowing it has been installed. Arthur can sit and watch and collect and learn. With time he ll gain access to all of your systems or in this case gain access to your MiamiMail account. Once he has this access, he ll steal your subscribers and start the process all over again. At this point, he can target your subscribers to gain access to their systems, attempt to steal credit cards and more. He can continue mining data from your system, or rent or sell your system to other hackers for other needs. Read more about malware. Scary, huh? We suggest rottweilers with lasers.