Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/18/2017
01:45 PM
Kelly Sheridan
Kelly Sheridan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

7 Common Reasons Companies Get Hacked

Many breaches stem from the same root causes. What are the most common security problems leaving companies vulnerable?
3 of 8

Leaving source code exposed
Amit Klein, vice president of security research at SafeBreach, cites source code exposure as a popular and dangerous vector of attack. He notes the Yahoo breach is an example of what can happen when source code is left unprotected.
Yahoo used a weak algorithm to generate session cookies, he explains, which enabled hackers to predict the value of cookies Yahoo assigned to their clients. By creating their own cookies, they could bypass password protection and pose as legitimate users. This enabled them to perform actions and gain information on behalf of other people.
Source code should be protected, says Klein. If exposed, it becomes 'instrumental' in mounting an attack because hackers can find and exploit weaknesses.
(Image: Mclek via Shutterstock)

Leaving source code exposed

Amit Klein, vice president of security research at SafeBreach, cites source code exposure as a popular and dangerous vector of attack. He notes the Yahoo breach is an example of what can happen when source code is left unprotected.

Yahoo used a weak algorithm to generate session cookies, he explains, which enabled hackers to predict the value of cookies Yahoo assigned to their clients. By creating their own cookies, they could bypass password protection and pose as legitimate users. This enabled them to perform actions and gain information on behalf of other people.

Source code should be protected, says Klein. If exposed, it becomes "instrumental" in mounting an attack because hackers can find and exploit weaknesses.

(Image: Mclek via Shutterstock)

3 of 8
Comment  | 
Print  | 
Comments
Threaded  |  Newest First  |  Oldest First
kevinmn
50%
50%
kevinmn,
User Rank: Apprentice
1/18/2017 | 8:58:57 PM
Company Hack
well! in my point of view, there are many reasons that a company may be hacked. It's a long war between companies and hackers. When you look at why people are still getting hacked or breached, I think a big contributor to that is either not knowing if you were patched or if you were patched and you were secure at one point, but something happened in operations that caused you not to be patched again
kbannan100
50%
50%
kbannan100,
User Rank: Moderator
1/23/2017 | 11:45:00 PM
Re: Company Hack
Agree! And when people do something silly like not changing passwords, leaving ports open or not setting expectations of users the problem is only compounded. There was a recent Ponemon study, for instance, that found 62 percent of respondents were pessimistic about their ability to prevent the loss of data contained in printer mass storage and/or printed hard copy documents. They gave reasons for their feelings. You can read the rest of the blog here. It's a bitly: /2cFfLM2

--Karen Bannan for IDG and HP
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:23:04 AM
Re: Company Hack
@kbannan: Interesting point, considering that German and Russian government entities have reportedly gone back to typewriters in some instances to increase data security on particularly sensitive matters.

What this comes down to is M&M security (hard on the outside, soft in the middle) vs. holistic security throughout.  The locks on my office door are probably easy to bypass for someone wilful enough.  But the lock on my office safe presents a new and harder challenge.  If I don't have that safe or don't use that safe, however, then a bad guy just needs to get past my office door.

The same principle applies equally among both physical security and cyber security, of course.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/24/2017 | 8:30:40 AM
Missing #8: Being a target
While these are great examples of *how* a company can get hacked, one of the biggest *whys* in my experience -- and perhaps a more powerful "security" flaw than any of those listed here -- is being a big target in the first place.

Consider Sony, which sued a 13-year-old hacker for modifying his PlayStation.  In the wake of the PR disaster that followed, the company and its PlayStation Network suffered countless mega-hacks.  In choosing to listen to the legal department without properly taking into account any counterbalancing viewpoints erring on the side of risk management, Sony may as well have painted a big red target on its back and announced to the world, "Open for hacking!"

Less notoriously, consider the University of Virginia hack a couple years ago that was traced back to Chinese operatives.  The only information, apparently, that the hackers wanted was in relation to two particular employees.  Employing these two high-interest individuals was enough to bring U-Va. within the crosshairs of nation-state hackers.

Flaws are flaws.  Everybody has security flaws.  But there is something to the idea of security by obscurity.
Navrit
50%
50%
Navrit,
User Rank: Apprentice
1/25/2017 | 6:02:08 AM
Re: Missing #8: Being a target
This article is d 'Une grande importance Parce Que pour moi la sécurité de nos Données is a première et essentielle commentaire réussir in the sauvegarde de nos informations et d' eviter tout tracas et perte de Données.  
Redhat62!
0%
100%
Redhat62!,
User Rank: Apprentice
1/27/2017 | 12:45:19 PM
Password? Really?
What evidence exists that default non-unique, or weak passwords are a common reason?
VesnaE29
50%
50%
VesnaE29,
User Rank: Apprentice
1/28/2017 | 10:10:34 PM
Reasons why companies get hacked
Here is an admission of guilt - I used to hack when i was in my 20s and when I thought it was fun slipping trojans into peoples emails, running port scans and checking for open telnet ports.  It was kind of, well, fun and exhilareting to do something others didn't know how to do.  What that makes you realise is that people are well, lazy when it comes to securing their data.  People fail to realise what their data is worth to someone else, period.  And to be honest here, social engineering never, ever seems to fail.  You can have 10 firewalls sitting around your data and have a DMZ inside the DMZ, but all it takes is for a person to off handedly mention an IP address you can use, or a password for a device that allows you to get onto another advice and then get to that dbase that holds the information you want to access.  The way I see it, educating people is the ONLY way to go.  Teach people how to write good codes. Teach them how to recognise corrupt codes. Teach them to keep their egos in check and not just broadcast information about secure data to others, because that exposes them to social engineering risks.  Education and more education is the key.  I don't think it will ever stop hacking and cyber attacks because there are a lot of curious people out there, but at least it will minimise the damage when data security breaches and thefts occur.   
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.