Heads-up for any organization that claims that protecting customers' information is its top priority: It's time to create a dedicated contact point, so security researchers can easily and quickly reach you in the event that they discover a data breach involving your network or customer data.
Organizations that lack a dedicated, fully monitored contact point for incoming alerts from security researchers risk ending up like dating network FriendFinder Networks, which apparently either missed, or ignored, directly emailed warnings from information security researchers that at least one of its dating sites had been breached, and that fraudsters were selling customers' data on underground forums (see Dating Website Breach Spills Secrets).
Businesses should highlight, on their websites, how altruistic third parties can report to them any data breach that they have detected.
Threat-intelligence firm DarkNet BlackOps Intelligence in San Francisco shared with me copies of emails that it sent to top executives at FriendFinder, including the firm's president, lead attorney and head of engineering, as well as the chairman of the board. The first emailed alert, dated March 12, includes the subject line "BREACH ALERT! URGENT!" and the following information:
AdultFriendFinder.com/FFN/Various, Inc., is currently the target from a data breach by a darknet bad-actor. ... All, and we mean ALL your databases for customers and personnel has been dumped, and the remainder of FFN brands are now the target of this hacker. ... This attack is similar to the recent Sony attack in that FFN is a direct target. This is not a drive-by attack that a scanner could have been used to find a vulnerability for exploit, this attack is targeted at FFN to cripple. In our experience, it requires handling at the C-level and Board level, and cannot be effectively delegated to supervisors or managers."
An automatically generated "read receipt" for that emailed alert was returned to DarkNet BlackOps Intelligence on March 12 from the email account of FriendFinder's marketing technology manager, according to the emails that the threat intelligence firm shared with me. A subsequent alert, sent May 22, also generated a receipt saying it had been read.
Several things jump out here: First, any recipient of the warning email might mistake it as spam or a phishing attack, unless they were well-versed in information security nuances. But the DarkNet BlackOps Intelligence email offered to share all of the information it gathered, free of charge; listed the company's website as well as telephone and mobile phone contact details; and offered to provide "references from law enforcement and other Fortune 100 clients" to substantiate their bona fides. With a few minutes of work, FriendFinder could have easily confirmed the researchers' intentions.
One question is why researchers at DarkNet BlackOps Intelligence just sent an email, rather than attempting to also phone FriendFinder. On the other hand, how far should researchers go when trying to inform an organization, for free, that it's been breached? Also, why wouldn't a FriendFinder employee think that the phone call, too, might be an attempt to socially engineer the firm?
Alerts Dismissed as Spam?
A FriendFinder spokesman tells me that its "leadership" only learned about the breach on May 22, after it was contacted by U.K. news agency Channel 4. Without commenting on the emails from DarkNet BlackOps Intelligence, the spokesman also says: "FriendFinder employees receive hundreds of sales and marketing spam messages daily, including many from third-party cybersecurity consultants, and any earlier communication on this specific issue was directed to junk mail folders and not considered a legitimate email."
But if the "read receipt" is accurate - because such receipts are not generated from messages that go directly to a spam folder - it means that a FriendFinder employee did receive and open the DarkNet BlackOps Intelligence alert, since such receipts get generated when a message is opened.
For messages that appear to be phishing attacks or spam, discarding them seems perfectly reasonable - unless, of course, the seeming piece of spam is really a security researcher attempting to sound a warning. And that begs the question of why more organizations - including FriendFinder - don't create and publicize a dedicated email address or website contact page that can be used by researchers to report breaches, without promise of reward.
In fact, a DarkNet BlackOps Intelligence employee - speaking on the condition that his name not be used, because of the work he does - tells me that too often when his team finds evidence that an organization has been breached and customer data stolen, and then attempts to warn the victim, either there's no reliable channel for making contact, or else when contacted, the organization ignores the warnings. So far this year, he says, that has already happened with more than 20 other breached organizations that DarkNet BlackOps Intelligence alerted. Most of those breaches have yet to be made public, he says.
"We're just trying to be helpful, we're not trying to crucify anybody," he tells me. "At all times, it's paramount to us that we thwart the victimization of consumers, and we would never disclose or 'out' a breach without the organization going public first."
Bug Report Redux
The FriendFinder Networks story recalls the days when people screened phone calls by letting them go to voicemail, but then occasionally would miss what turned out to be a very important call.
In fact, the security world has already come up with a solution to this problem, which existed in a related form in prior years when security researchers would find bugs in vendors' code and attempt to inform them. Many vendors ignored those warnings. Some continue to do so, or react slowly.
But many security researchers - often searching for bugs in their spare time, and without hope of reward - grew frustrated, and began publicly disclosing bugs without waiting for recalcitrant vendors to patch them. That led some companies to post dedicated bug-reporting email addresses on their websites, and then to watch for alerts from security researchers, confirm receipt of those messages, and quickly detail how and when such flaws would be fixed, and publicly credit the researchers involved. Recognizing the incredible value that these independent security researchers so often provide, more recently, many organizations have also launched bug-bounty programs to further encourage and sometimes even reward such efforts.
These systems aren't perfect; communications sometimes get muddled. But creating channels for reporting bugs enables security-savvy researchers to easily highlight flaws in code that threaten users and their data, and acknowledges their contributions.
It's time now to create the same approach for data breaches. Organizations should highlight, on their websites, how altruistic third parties can report to them any data breach that they have detected. They should then follow up on any breach reports and perhaps even reward researchers. When it comes to responding more quickly to data breaches - and finding and eliminating the related network intrusions - that is the least organizations should be doing.