ThoughtThought

Coming around the same time as Convio’s security breach, Salesforce appears to have also been duped by a phishing scam that also resulted in huge customer lists being lost to spammers or worse. According to an article in the Washington Post, this security breach is known to have resulted in further, “highly targeted” phishing attacks against ADP and Suntrust, among others.

Salesforce is the premiere provider of hosted (aka “software as a service”), enterprise CRM software, although it has a growing list of competitors. This can’t be good news. The company released a public mea culpa:

“We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied,” the company wrote. “Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com”

This explanation bears a striking resemblance to the one offered to excuse the Convio fiasco — “foolish employee, smart hacker: what could we do?”. Salesforce followed this up with several security tips, two of which are worth reprinting:

• IP Range Login Restrictions — you can only login and manage your CRM from certain connection points — this is a fantastic idea.
• Two-factor RSA encryption. This is probably going a bit overboard, but would be very effective. You basically carry a physical, electronic key on your person, which generates random numbers that you must have to login. Can’t acquire this through phishing.

I used the 2nd technique to login to a US Government website and I must admit — it does make you feel like quite the spy!

The other tips were pretty run-of-the-mill. But for any Convio client still concerned about whether the security breach has resulted in phishing attacks against their end-users, I would recommend taking a look at Saleforce’s security recommendations as well as screenshots of the actual phishing emails that resulted, which Salesforce has prudently posted online. See if they bear a resemblance to whatever phishing attacks your Convio account end-users might be receiving. Of course, this doesn’t help if a hacker is breaking into bank accounts with the passwords that were stolen, but it’s something.

As for what Salesforce is doing:

What We Are Doing
Customer security is the foundation of customer success, so we have been implementing and will continue to implement the best possible practices and technologies in this area. Our recent and ongoing actions include:

	::	Actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected
	::	Collaborating with leading security vendors and experts on specific threats
	::	Executing swift “takedown” strategies on fraudulent sites (often within an hour of detection)
	::	Reinforcing security education and tightening access policies within salesforce.com
	::	Evaluating and developing new technologies both for our customers and for deployment within our infrastructure. We will regularly update you on these security innovations

Sounds quite similiar to Convio’s strategy, although I give Salesforce kudos for adapting a more web-savvy philosophy. But again, the kicker could be one-way hashing. With one way hashing, you can’t get a login’s password unless you also know the password of the email associated with the login. Seems like a no-brainer, no?

Perhaps not. Perhaps the business analysts at Salesforce have calculated that once or twice yearly security breaches cost less than the potential customer dissatisfaction resulting from the inconvenience of retrieving reset passwords via email from a database employing one-way hashing.