Risk
4/29/2013
07:38 PM
Tim Wilson
Tim Wilson
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Big Data Makes A Big Target

LivingSocial.com is another in a long line of "big scores" for data attackers

"Now nobody get nervous, you ain't got nothing to fear. You're being robbed by the John Dillinger Gang, that's the best there is!" -- John Dillinger

Since the first cavemen planned their first theft of fresh meat from a rival tribe, the bad guy has always looked for the big score. From Jesse James to John Dillinger to Willie Sutton, there have always been those who hunted the big game.

The world of cybercrime isn't much different. While there are plenty of hackers who make a good living cracking small business accounts or stealing individual identities, the most ambitious attackers prefer a challenge. NASA. The White House. The National Security Agency. And it's hardly a surprise to hear that hackers are taking plenty of shots at today's golden gooses of user information: Facebook, Twitter, and Google.

With all of this as backdrop, it constantly amazes me that large, hugely successful organizations still often fail in their efforts to preserve databases of hundreds of thousands -- sometimes millions -- of users. How can such enormous volumes of data be compromised?

This weekend's breach of 50 million customer records at digital deals site LivingSocial.com is just the latest of many "big scores" registered by attackers during the past few years, and it won't be the last. From the Veterans Administration in 2006 to Heartland Payment Systems in 2008 to Sony in 2012, the cybersphere is littered with incidents in which a single breach affected millions of users.

In virtually all of these cases, major, successful businesses created huge stores of sensitive user data -- and then failed to secure them properly. In many cases, they built databases with the value and attractiveness of Fort Knox on the back end and Web applications with the security of a Wal-Mart revolving door on the front end. It's mind-boggling.

What's surprising is not that there were vulnerabilities in these systems and applications -- few come out of development without flaws these days. A study published earlier this month by Cenzic suggests that 99 percent of all applications contain vulnerabilities.

What's surprising is that organizations that maintain such huge stores of valuable data don't do more scanning, penetration testing, and vulnerability assessment of their systems on a regular basis. The 2013 Verizon Data Breach Incident Report, posted two weeks ago, indicates that most breaches are still found not by the victim organization, but by a third party.

If you are Mom and Pop's Grocery, then you might still be a target for cybercriminals. But if you are NASA, Google, McDonald's, or General Motors, you can *bet* on it. If you are a business that holds millions of users' personal data, you can count on constant attacks, ranging from hobbyists to the Russian mafia. If you are visible and successful, you will be attacked.

With this in mind, it's important for companies that maintain valuable data stores to take precautions. LivingSocial.com helped itself by storing passwords in an encrypted form that was both salted and hashed. In the end, it might have helped itself even more by conducting constant vulnerability scans, pen tests, and risk assessments, even on production systems. It's not enough to test before deployment -- you have to test after your systems and applications are deployed as well.

Big-game hackers, like the famous thieves and bank robbers before them, are going to keep looking for the big score. If you happen to have such a score in your enterprise, you'd better be thinking about what you're doing to stop them. If you don't, you might very likely be the next big headline. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
5/27/2013 | 2:56:28 PM
re: Big Data Makes A Big Target
I have to agree that
in order to keep your security systems up to date they must under go personal
penetration testing to see what their threats and vulnerabilities are. I have
to further say that if you are a large company then you must go through these
tests in order to ensure the security of your users data. I still say even if
you are a small mom and pop shop you should do a little homework in regards to
maintaining your own security. LivingSocial at the very least was smart enough
to encrypt the passwords, so the attackers were limited in some source.

Paul Sprague

InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.