Risk

Vodafone's BreachA Painful Lesson In Shared Passwords

Vodafone's embarrassing breach should serve as a wake-up call for enterprises that also engage in the dangerous practice of credential-sharing

The Australian operation of the wireless carrier Vodafone is feeling the full range of consequences from an information security breach--from notifying customers to firing employees to facing down regulators. And it's all because of a common but unsafe practice: Allowing shared passwords within enterprise accounts.

Vodafone officials were red-faced in January when they were informed by a journalist that she was able to log into the carrier's customer database using legitimate credentials. Australian Privacy Commissioner Timothy Pilgrim announced an investigation into the breach, and Vodafone warned customers of the problem and fired a number of employees in connection with the matter.

Vodafone said it acted quickly to shut down improper access. CEO Nigel Dews assured the public that Vodafone had changed passwords across the board and implemented more stringent password policies, including more frequent changes.

Account credential sharing is hardly a one-off problem in any big company, says Adam Bosnian, executive VP with Cyber-Ark Software, a security vendor. He's seen it most in retail environments, if turnover's high and there's no easy way to create and delete accounts when people join or leave the company. So companies take the efficient but "inherently risky" approach of just using generic, shared accounts, he says.

Password sharing can be particularly troublesome with databases accessed by Web applications, such as the one that powers Internet access to Vodafone's customer database, warns Phil Lieberman, CEO of Lieberman Software. "What happens is that there are certain high-powered accounts that are used by applications and also by users--call them 'generic accounts' because they end up being shared," he says.

One problem with such an account is there's no audit trail--you don't know if an app automatically accessed it, or a particular person did. Too many companies allow the practice to continue. IT staff in other companies could face the same fate as those at Vodafone who were fired should their sloppy practices be exposed.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Insider Threat Prevention activated!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7238
PUBLISHED: 2019-03-21
Sonatype Nexus Repository Manager before 3.15.0 has Incorrect Access Control.
CVE-2017-16253
PUBLISHED: 2019-03-21
An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012 for the cc channel of Insteon Hub running firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriti...
CVE-2017-16254
PUBLISHED: 2019-03-21
An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP re...
CVE-2017-16255
PUBLISHED: 2019-03-21
An exploitable buffer overflow vulnerability exists in the PubNub message handler Insteon Hub 2245-222 - Firmware version 1012. Specially crafted commands sent through the PubNub service can cause a stack-based buffer overflow overwriting arbitrary data. An attacker can send an authenticated HTTP re...
CVE-2018-3968
PUBLISHED: 2019-03-21
An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...