C’mon folks! Let’s learn from 2015
This holiday season was, once again rife with hacks. Before the first bottle of Christmas cheer was even opened, two major attacks and one very noteworthy hack were making the headlines.
First up, anti-virus company Avast, revealed that personally identifiable information (PII) stored in Target’s wish list app is, for all intents and purposes, unsecured courtesy of the API. Without too much effort Avast’s team was able to siphon information which “included names, e-mails, shipping addresses, phone numbers, the type of registries and the items on the registries.” While this information is in a different class from the credit and debit card information stolen in the 2013 hack, it’s part of the profile-building information that malicious actors are valuing these days as they seek not to just to make a quick profit of your credit card, but entrench themselves for long-term gain through total assumption – and annihilation – of your identity. Avast’s Filip Chytry revealed that information was easily accessible because no authentication was required.
Hot on the heels of this story, was the news that Juniper Networks – the company that builds network communication equipment (routers, switches, firewalls, etc.) that likely sit in your company’s core infrastructure ensuring your company is up and online for business – owned up to a backdoor vulnerability in it networking equipment that had left government and enterprise data vulnerable to theft. While all breaches are somewhat unnerving, this type of attack is particularly insidious. Basically, the attack works by hackers installing a secret entry point into corrupted equipment that enables them to bypass all security measures and grant access admin files, sensitive data, and root passwords without detection and also facilitate the removal of data from these systems.
Then, on Christmas Eve, security guru, Brian Krebs’s PayPal account was hacked via a very simple, old fashioned, social engineering attack. According to Krebs “he received an email from PayPal on the morning of December 24, “stating that an email address had been added to my account.” Immediately after receiving this notification, he “changed the password, switched [his] email address back to the primary contact address, and deleted the rogue email account.” Just twenty minutes later, however, the same fraudulent email address had been re-added. By Krebs’s account: “[t] he attacker had merely called in to PayPal’s customer support, pretended to be me, and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.” Again, sloppy security, not on Krebs’s part, but definitely on PayPal’s.
It’s true that Juniper responded swiftly and issued a patch and that Target immediately removed elements of the app that introduced the vulnerability, but these are all preventable and show a lack of attentiveness and sort cuts in penetration, social hacking and white box testing that would have brought these to light before being exposed in the public realm.. The backdoor in the Juniper attack was first identified, according to researchers quoted in Wired in 2007 and every app should be put through its paces before releasing – not just for functionality but for security too. In the case of PayPal, where were additional factors of authentication that are harder to replicate than the all too commonly stolen Social Security number and credit card information? Even the most basic mobile device authentication protocol, commonly used by Google, Facebook, and Apple, for example would have been a vast improvement over PayPal’s current standard.
Failure to follow best practices, to integrate basic security knowledge – such as pre-existing vulnerabilities – or learn from peer organizations is something we must stop and learn, which it seems we still aren’t doing a good job of learning. We all know that the white hats are far outnumbered by the black hats in the data security field and that giving them a pass by failing to do the basics is plainly unacceptable in 2016. Vendors, retailers, or any organization for that matter, that asks the public to trust it with personally identifiable information or other sensitive data needs to think about their security stance and ask if they’re doing all they can. Then, if the answer is not a resounding yes – and no one’s should be – they need to start learning and keep on learning. This process starts with learning from those organizations that do security well, then implementing best practices, looking to augment – not rip and replace – existing security tools with next generation solutions, then, in return sharing their knowledge and best practices with fellow CIOs.
It’s not that securing data is easy, far from it, but there’s no sense in repeating the same errors time and again. Will 2016 be the year that data security finally becomes an integral part of every product, platform, and app? Only time will tell.