Risk
4/29/2013
07:38 PM
Tim Wilson
Tim Wilson
Commentary
50%
50%

Big Data Makes A Big Target

LivingSocial.com is another in a long line of "big scores" for data attackers

"Now nobody get nervous, you ain't got nothing to fear. You're being robbed by the John Dillinger Gang, that's the best there is!" -- John Dillinger

Since the first cavemen planned their first theft of fresh meat from a rival tribe, the bad guy has always looked for the big score. From Jesse James to John Dillinger to Willie Sutton, there have always been those who hunted the big game.

The world of cybercrime isn't much different. While there are plenty of hackers who make a good living cracking small business accounts or stealing individual identities, the most ambitious attackers prefer a challenge. NASA. The White House. The National Security Agency. And it's hardly a surprise to hear that hackers are taking plenty of shots at today's golden gooses of user information: Facebook, Twitter, and Google.

With all of this as backdrop, it constantly amazes me that large, hugely successful organizations still often fail in their efforts to preserve databases of hundreds of thousands -- sometimes millions -- of users. How can such enormous volumes of data be compromised?

This weekend's breach of 50 million customer records at digital deals site LivingSocial.com is just the latest of many "big scores" registered by attackers during the past few years, and it won't be the last. From the Veterans Administration in 2006 to Heartland Payment Systems in 2008 to Sony in 2012, the cybersphere is littered with incidents in which a single breach affected millions of users.

In virtually all of these cases, major, successful businesses created huge stores of sensitive user data -- and then failed to secure them properly. In many cases, they built databases with the value and attractiveness of Fort Knox on the back end and Web applications with the security of a Wal-Mart revolving door on the front end. It's mind-boggling.

What's surprising is not that there were vulnerabilities in these systems and applications -- few come out of development without flaws these days. A study published earlier this month by Cenzic suggests that 99 percent of all applications contain vulnerabilities.

What's surprising is that organizations that maintain such huge stores of valuable data don't do more scanning, penetration testing, and vulnerability assessment of their systems on a regular basis. The 2013 Verizon Data Breach Incident Report, posted two weeks ago, indicates that most breaches are still found not by the victim organization, but by a third party.

If you are Mom and Pop's Grocery, then you might still be a target for cybercriminals. But if you are NASA, Google, McDonald's, or General Motors, you can *bet* on it. If you are a business that holds millions of users' personal data, you can count on constant attacks, ranging from hobbyists to the Russian mafia. If you are visible and successful, you will be attacked.

With this in mind, it's important for companies that maintain valuable data stores to take precautions. LivingSocial.com helped itself by storing passwords in an encrypted form that was both salted and hashed. In the end, it might have helped itself even more by conducting constant vulnerability scans, pen tests, and risk assessments, even on production systems. It's not enough to test before deployment -- you have to test after your systems and applications are deployed as well.

Big-game hackers, like the famous thieves and bank robbers before them, are going to keep looking for the big score. If you happen to have such a score in your enterprise, you'd better be thinking about what you're doing to stop them. If you don't, you might very likely be the next big headline. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
5/27/2013 | 2:56:28 PM
re: Big Data Makes A Big Target
I have to agree that
in order to keep your security systems up to date they must under go personal
penetration testing to see what their threats and vulnerabilities are. I have
to further say that if you are a large company then you must go through these
tests in order to ensure the security of your users data. I still say even if
you are a small mom and pop shop you should do a little homework in regards to
maintaining your own security. LivingSocial at the very least was smart enough
to encrypt the passwords, so the attackers were limited in some source.

Paul Sprague

InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.