Not much has been released about exactly how Premera got attacked, and certainly nothing from anyone with recognised insider knowledge.
Disclaimer: I worked at Premera in the Information Security team, but itâ€™s so so long ago that any of my internal knowledge is incorrect â€“ so Iâ€™ll only talk about those things that I have seen published.
I am, above all, a customer of Premeraâ€™s, from 2004 until just a few weeks ago. But Iâ€™m a customer with a strong background in Information Security.
Almost everything boils down rather simply to one article as the source of what we know.
February 4, 2015: News stories break about Anthemâ€™s breach (formerly Wellpoint).
January 29, 2015: The date given by Premera as the date when they were first made aware that theyâ€™d been attacked.
I donâ€™t think that itâ€™s a coincidence that these dates are so close together. In my opinion, these dates imply that Anthem / Wellpoint found their own issues, notified the network of other health insurance companies, and then published to the news outlets.
As a result of this, Premera recognised the same attack patterns in their own systems.
This suggests that any other health insurance companies attacked by the same group (alleged to be â€śDeep Pandaâ€ť) will discover and disclose it shortly.
Iâ€™ve kind of driven in the idea that Anthem used to be called Wellpoint, and the reason Iâ€™m bringing this out is that a part of the attack documented by ThreatConnect was to create a site called â€śwe11point.comâ€ť â€“ thatâ€™s â€śwellpoint.comâ€ť, but with the two letter â€śelsâ€ť replaced with two â€śoneâ€ť digits.
Thatâ€™s relevant because the ThreatConnect article also called out that there was a web site called â€śprennera.comâ€ť created by the same group.
So, given a domain name similar to that of a site you wish to attack, how would you get full access to the company behind that site?
Hereâ€™s just one way you might mount that attack. There are other ways to do this, but this is the most obvious, given the limited information above.
If youâ€™re concerned that Iâ€™m telling attackers how to do this, remember that this is obvious stuff. This is already a well known attack strategy, â€śhomograph attacksâ€ť. This is what a penetration tester will do if you hire one to test your susceptibility to social engineering.
Thereâ€™s no vulnerability involved, thereâ€™s no particularly obvious technical failing here, itâ€™s just the age-old tactic of giving someone a screen that looks like their logon page, and telling them theyâ€™ve failed to logon. I saw this basic form of attack in the eighties, itâ€™s that old.
If youâ€™ve been reading my posts to date, youâ€™ll know that Iâ€™m aware that security offence is sexy and exciting, but security defence is really where the clever stuff belongs.
I have a few simple recommendations that I think apply in this case:
Another tack thatâ€™s taken by companies is to engage a reputation management company, to register domain names that are homoglyphs to your own (those that look the same in a browser address bar). Or, to file lawsuits that take down such domains when they appear. Whichever is cheaper. My perspective on this is that it costs money, and is doomed to fail whenever a new TLD arises, or your company creates a new brand.
[Not that reputation management companies canâ€™t help you with your domain names, mind you â€“ they can prevent you, for instance, from releasing a product with a name thatâ€™s already associated with a domain name owned by another company.]
These three steps are somewhat interdependent, and they may cause a certain degree of inconvenience, but they will prevent exactly the kind of attacks Iâ€™ve described. [Yes, there are other potential attacks, but none introduced by the suggested changes]