Tuesday, May 5, 2020
Security Incidents and Hackb Case
Questions: 1.What Was the Problem? 2.How and Why It Occurred? Answers: Security Incidents In the present-day information age, the rules of value have changed and moved from the physical to the intangible. In today's inter-connected and always online world, data is the most important thing any organisation can own (Singh, 2015). Data not only serves as a fertile ground to be tilled for competitive advantage, but some data also come with the responsibility of protecting it. For example, if a company handles credit card details of its users, it is the company's responsibility to ensure the protection of such data, both from outsiders and insiders. It follows that data should be the thing that is stolen most often. Indeed, criminals are now after the data of an organisation. Various attackers like novice and skilled programmers, organised crime groups, activists, terrorists, and governments are interested in compromising an organisation for their goals. The world of information security is wide, and there are many nuances to the methods in which information may be compromised . This report looks into two real-life examples of information security incident. The first portion of the report discusses a breach, while the second one discusses an attack. Breach A breach is an inadvertent exposure of confidential information ("Security Breach", n.d.). In a breach, the parties acting to expose the information are insiders of an organisation. However, there is no malicious intent. Still, any data which is once made public can never recover its private status. This report will discuss a breach which happened from September to December 2015. The public data was searched, and one incident was selected for the purpose of this report. Any decent sized business will have access to personal details of many users. Even if the number of users does not run into millions (as we will see the later portion of this report), thousands of users may have given their personal data to the company. Web sites often request details like full name, phone number, postal address, and email address. The companies want to promote their business, and emails are much cheaper and quicker than postal mail. Thus, every company prefers to send electronic newsletters via email. Beyond a small number of recipients, it is often efficient to use software for the purpose of sending mass emails. The software can take care of sending the emails, handling unsubscribe requests, and work error-free. Now, this software can be developed in-house or bought off-the-shelf and then hosted on company's infrastructure, or subscribed to a third-party using Software as a Service (SaaS). The breach which is being discussed in this report concerns retailer WHSmith (England, 2015). WHSmith specialises in selling books, stationery, magazines, newspapers and entertainment products. Like any business worth its salt, it too has a Contact Us page, which understandably asks for personal details and email address also. On 2nd September 2015, the systems of WHSmith began emailing the contents of the Contact Us page to the entire mailing list of the company (Temperton, 2015). 1. Users have faith in the companies with which they are interacting. An online platform for a company with which a person interacts in the offline world also is often trustworthy. What happened in the case study being discussed, is that instead of routing the contents of the Contact Us page to the company officials, it was being routed instantly to the entire mailing list of the enterprise. The Contact Us form had fields for personal information. Now, the problem was that the form had been by the user under the impression that it will be visible to the eyes of the company officials only. Thus, the user's wording and tone of language may have been biased by that. Secondly, in addition to the message, the personal contact details were broadcast to all the subscribers. Not only was this a breach of privileged information, but also annoying. Twitter was lit up with the discussions of this data breach with a hashtag created to tag the tweets- #whsmithfail (Day, 2015) . 2. WHSmith contracts its email services to a third-party company I-subscribe. The company provides forms which are then embedded into the web pages. The data submitted via the form goes to I-subscribe, which then handles it on behalf of their customer, in this case, WHSmith. What was happening was that the software code at I-subscribe responsible for routing the email messages had a bug, which wrongly routed the Contact Us form submissions. To be clear, a software bug is the mistake of the developer or the company creating the software. As soon as WHSmith was made aware of the issue, they contacted their contractor I-subscribe, and the latter took down the form and started working on fixing the bug. The exact details of why the software bug was present and what conditions triggered it are neither in public domain (as their software is proprietary) nor relevant to the discussion at hand. We know that a software bug caused this data breach. Possible Solutions for Preventing the Breach in Future As far as the retailer WHSmith is concerned, the authors of this paper find it clean. They, after all, hired another company to manage its subscription and forms services, and the contracted company, I-subscribe business function is managing email subscriptions. Thus, we have suggestions for both the client as well as the contractor. The client should get a written Service Level Agreement (SLA) and responsibility in case of a data breach. The contractor should test their software before using it on production servers with live client data. Hack A hack is deliberate attempt to compromise a computer system ("hack", n.d.), and is characterised by malicious intent. The acting parties in a hack are outsiders. The goals of attackers in a hacking attack range from entertainment to undermining the interests of an enemy or nation or opposition organisation (Spivak, 2012). Thus, hacking is performed not only by criminals, programmers, and activists but also nation states using Internet and information systems as a new platform of war against enemy nations. For this report, public information on hacks between 2012 to 2016 was researched, and one was chosen for elaboration. Social networking on the World Wide Web (WWW) is a big business (Tran, 2016). The attack being discussed in this report is a professional social networking site - LinkedIn. LinkedIn is a network where anyone with an email address can join, create his public facing rsum, become friends with other profiles on the site. Additional tools include sending private messages, posting articles using LinkedIn's publishing tools, and other standard facilities which users have come to expect from any social networking site. LinkedIn is a big company, and users who join this site expect their privacy and the data to be protected. In 2012, attackers invaded LinkedIn's systems and stole login credentials (email and password) about 6.5 million users (Schroeder, 2012). Problem Users trust public companies like LinkedIn with their data. Email addresses of active users is a prize in the email spam business, and leaked databases are one of the best sources (Hoffman, 2014). Also, most business owners would like to pry on the online activities of their employees (Ballman, 2013) (Gee, 2017). Thus, professional networking and job search sites have an extra responsibility to keep the data of their users secure. As an illustration, policies of some companies may forbid employees from looking for a new job till they are working in that company. Such a user may begin his search in a private mode. The attack which is being discussed in this report was done by criminals for financial gains (Association, 2016). However, the possibility has been proven that such data is not secure. The problem is that some people were able to overrun all the security procedures of LinkedIn and get away with private data. Later on, in 2016, it turned out that the 2012 revelation was tip o f the iceberg. Within the same attack about 100 million users' details were stolen (Association, 2016), thus raising the total count to about 117 million users (Griffin, 2016). Affected by the Hack and How In this attack, users of LinkedIn who were in the pool of the around 6.5 million database records stolen were affected. The data stolen was put on sale in the black market on the Internet (Rogers, 2016). Now, the aftermath of the attack could have left the millions of users exposed, not only by the criminals but potentially also by prying employers. Nothing would have been off the table since the data was out on the Internet. However, in a professional handling of the incident, LinkedIn came forward and publicly accepted the attack (Silveira, 2012), provided live updates on the Twitter feed, published best-practices articles. Most importantly, LinkedIn promptly deactivated the passwords of all the users whose data was stolen. Follow-up emails were sent to the affected users alerting and advising them on next steps. The act of deactivating the passwords was a prudent one. It significantly reduced the value of the loot for the criminals. They still have access to emails of the people, but still, they cannot access the LinkedIn accounts per se. Some industry experts believe that the haul of the valid email addresses of working professionals may be grabbed by the spam industry (Rogers, 2016). They believe so since the price of the data set is relatively lower. In any case, successful sale of such data will only encourage the attackers to carry on their activities (Zilberman, 2017) (Westervelt, 2014). Attack Carried Out The details of this attack are incomplete. The true picture has not emerged more so since two nations - America and Russia - are in a tug-of-war about the alleged hacker. Still, the public records indicate that the hacker sends a malware to a company employee's computer. Later on, that malware was used to crawl the network and gain deeper access to LinkedIn's systems and finally to the database (RadioLiberty, 2016). Showing responsibility, LinkedIn reset the passwords for the 100 million newly surfaced accounts as soon as it got this new information (Reuters, 2016). Measures Which Can Prevent Such Attacks From what information is available, it appears that the launching pad for this attack was malware. How the hacker was able to install the malware on a computer of the company is not known. It could be a deceptive email, some random website which a LinkedIn employee visited, or any other of the many ways possible to infect any computer connected to the Internet. Also, that malware had the capability to bypass internal security checkpoints, as well send data back to the hacker. Considering these points, it is recommended that stricter rules be put in place to kill any malware suspected incoming data. This malware could be via email, infected web page, or even a flash drive (also known as a pen drive or USB drive). Also, no outside storage media should be allowed in the office premises. Also, firewalls should be updated so as to track outgoing data also. A review of the internal security of an organisation's network is recommended so that any malware is identified. Intrusion Detection S ystem (IDS) and anomaly detection techniques may be helpful in this regard. Conclusion This report looked into publicly available data on breaches and hacks. A data breach concerning the heads of states, and an attack stealing the email addresses and passwords of a popular social networking site were discussed. While the data breach was a case of human error and negligence, the attack was an example of fine programming skill put to illegal use. For both the case studies, the report explored the problem, the affected parties, ways by which the incident happened, and recommendations for preventing such incidents in future. References Association, P. (2016). Hacker advertises details of 117 million LinkedIn users on darknet. The Guardian. Retrieved 1 April 2017, from https://www.theguardian.com/technology/2016/may/18/hacker-advertises-details-of-117-million-linkedin-users-on-darknet Ballman, D. (2013). 10 New (And Legal) Ways Your Employer Is Spying On You. AOL.com. Retrieved 1 April 2017, from https://www.aol.com/article/2013/09/29/new-ways-employer-spy/20699464/ Council, B. (2016). Brisbane's 2014 G20 Leaders' Summit | Brisbane City Council. Brisbane.qld.gov.au. Retrieved 31 March 2017, from https://www.brisbane.qld.gov.au/about-council/governance-strategy/economic-development/brisbanes-2014-g20-leaders-summit Farrell, P. (2015). Personal details of world leaders accidentally revealed by G20 organisers. The Guardian. Retrieved 31 March 2017, from https://www.theguardian.com/world/2015/mar/30/personal-details-of-world-leaders-accidentally-revealed-by-g20-organisers Gee, K. (2017). The Not-So-Creepy Reason More Bosses Are Tracking Employees. WSJ. Retrieved 1 April 2017, from https://www.wsj.com/articles/the-not-so-creepy-reason-more-bosses-are-tracking-employees-1490101200 Griffin, A. (2016). Hacker advertises details of 117 million LinkedIn users on darknet. The Guardian. Retrieved 1 April 2017, from https://www.theguardian.com/technology/2016/may/18/hacker-advertises-details-of-117-million-linkedin-users-on-darknet hack. Dictionary.com. Retrieved from https://www.dictionary.com/browse/hack Hoffman, C. (2014). How Do Spammers Get Your Email Address?. Howtogeek.com. Retrieved 1 April 2017, from https://www.howtogeek.com/180477/htg-explains-how-do-spammers-get-your-email-address/ Day, K. (2015). Ke Day on Twitter. Twitter.com. Retrieved 1 April 2017, from https://twitter.com/KenDay/status/638999331350151168?ref_src=twsrc%5Etfwref_url=http%3A%2F%2Fwww.businessinsider.com%2Fwhsmith-customer-emails-data-privacy-2015-9 England, L. (2015). People are freaking out because WHSmith is accidentally emailing customer contact details to other customers. Business Insider. Retrieved 1 April 2017, from https://www.businessinsider.in/People-are-freaking-out-because-WHSmith-is-accidentally-emailing-customer-contact-details-to-other-customers/articleshow/48772997.cms RadioLiberty, R. (2016). U.S. Charges Russian Hacker With Stealing LinkedIn Data. RadioFreeEurope/RadioLiberty. Retrieved 1 April 2017, from https://www.rferl.org/a/us-charges-russian-hacker-nikulin-stealing-date-linkedin-san-francisco-dropbox-formspring-/28068596.html Reuters, T. (2016). LinkedIn to wipe out passwords for 100 million hacked accounts - Business Insurance. Business Insurance. Retrieved 1 April 2017, from https://www.businessinsurance.com/article/20160518/NEWS06/160519773/LinkedIn-data-breach-hack-2012-100-million-accounts-passwords Rogers, J. (2016). Hacker looks to sell 117M LinkedIn passwords from 2012 data breach. Fox News. Retrieved 1 April 2017, from https://www.foxnews.com/tech/2016/05/19/hacker-looks-to-sell-117m-linkedin-passwords-from-2012-data-breach.html Schroeder, S. (2012). 6.5 Million Encrypted LinkedIn Passwords Leaked Online [REPORT]. Mashable. Retrieved 1 April 2017, from https://mashable.com/2012/06/06/6-5-million-linkedin-passwords/#0qSP.pTP0GqT Security Breach. Techopedia. Retrieved from https://www.techopedia.com/definition/29060/security-breach Silveira, V. (2012). An Update on LinkedIn Member Passwords Compromised. Blog.linkedin.com. Retrieved 1 April 2017, from https://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised Singh, A. (2015). Is Big Data the New Black Gold?. WIRED. Retrieved 31 March 2017, from https://www.wired.com/insights/2013/02/is-big-data-the-new-black-gold/ Spivak, W. (2012). Hacking (1st ed., p. 13). Lulu.com. Temperton, J. (2015). WHSmith data breach spams confidential customer details. WIRED UK. Retrieved 1 April 2017, from https://www.wired.co.uk/article/whsmith-data-breach-customer-emails Tran, T. (2016). What is the valuation of a social network company?. Quora. Retrieved 1 April 2017, from https://www.quora.com/What-is-the-valuation-of-a-social-network-company/answer/Tony-Tran-75 Westervelt, R. (2014). What Is That Stolen Data Worth? 11 Most Lucrative Hacking Targets, Services. CRN. Retrieved 1 April 2017, from https://www.crn.com/slide-shows/security/300075162/what-is-that-stolen-data-worth-11-most-lucrative-hacking-targets-services.htm Zilberman, B. (2017). How Lucrative is Confidential Data? Prime Bounty for Hackers, Top Concern for Businesses. Radware Blog. Retrieved 1 April 2017, from https://blog.radware.com/security/2017/01/lucrative-confidential-data/
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.