There’s no shortage of major cyber-attacks across the globe wreaking damage. In fact, Australia is number one in the world for data breaches, which is a stat that makes us security nerds weep and something we need to change, pronto!
So, in the spirit of raising security awareness, over the next two weeks we will be counting down what we consider to be the most notable security fails of 2016 — arming you with ways to minimise the risk, to stop something similar happening to you and your organisation.
Census – the massive cyber-attack, that wasn’t
The Census of Population and Housing (Census) is Australia’s largest statistical collection undertaken by the Australian Bureau of Statistics (ABS).
It is compulsory to complete, and Census ran a national public awareness campaign appearing across television, print, online and radio encouraging everyone in Australia (at the time), to complete the census on “Census Night” or risk a fine.
Unfortunately, when “Census Night” rolled around, the online Census crashed and was unavailable to the public for days afterwards.
Despite fingers being pointed at cyber-attackers, a simple lack of capacity planning and testing is what ultimately brought the Census to its knees.
An official Senate Committee inquiry found the 2016 Census was a failed online project with inadequate protection against even a “minor attack” with serious privacy implications.
It found the online national survey failed to withstand four “minor” Distributed Denial of Service attacks (DDoS) on the night, IT contactor IBM was not immediately able to restore service due to a failure to adequately test its technology, and the Bureau chose to take the system offline to assess whether it had been hacked.
The online attack that caused the Census website to fail, “was of such a small size that it should have easily been handled effectively,” said the report.
But it didn’t stop there. Prior to “Census Night” the ABS advised that, “the online Census form can handle 1,000,000 form submissions every hour. That’s twice the capacity we expect to need.”
However, the Census count encompassed close to 10 million dwellings and approximately 24 million people, the largest number counted to date. Unsurprisingly the majority of people attempted to fill in the Census at 7:30pm on “Census Night” after dinner, which contributed to the system overload, causing it to fall over.
What our experts say:
“If you fail to plan, you plan to fail.”
If a service requires a high degree of availability and scalability — such as the Census — it is best to move it to a secure cloud service, such as Amazon Web Services (AWS) or Azure. This provides the ability to dynamically expand resources as required to handle shifting loads, as well as ensure adequate load (stresser) testing has been performed.
If the Census site had been tested appropriately, hosted in the cloud, and had the ability to dynamically allocate additional resources as required, #CensusFAIL would have been #CensusWIN.
Red Cross – Australia’s largest security breach
The 28th of October was a gloomy day for the Red Cross. It was on this day that security specialist, Troy Hunt’s Have I Been Pwned service received a dump of personal data, of 550,000 blood donors. This dump included information about “at-risk sexual behaviour” which had been leaked from the Red Cross Blood Service in what has been described as Australia’s largest security breach.
An anonymous individual stumbled across the 1.74GB file containing 1.28 million records while scanning IP address ranges for publicly exposed web servers containing .sql files.
That was also the day its website maintenance and development contractor, Precedent, found out about the giant breach it had inadvertently caused.
Precedent was engaged by the blood service to redesign and maintain its core website, www.donateblood.com.au, in 2015.
It created a Drupal 7-based responsive site to make it easier for people who have never donated blood to find out more about the process, and to make bookings for donors much simpler.
The new site was launched to the public in November last year. However, a human error made by one of Precedent’s technical team, meant a database backup containing all the information donors enter as part of their booking process was exposed online from a separate server for almost two months, from September 5 this year.
What our experts say:
These sort of serious misconfigurations are not uncommon, we often see similar issues on client engagements, and per the Red Cross, these misconfigurations or fails are usually caused by third parties such as web hosting providers.
The best way organisations can ensure they do not have similar issues, is to engage a professional to conduct penetration testing annually or when any major changes occur. The penetration test should be completed by a security professional who is not associated/employed with the company hosting the website.
If pen-testing had have been conducted on the Red Cross site this data would never have become exposed. Whenever a backup of a database or any other component is taken, it should not be placed and remain on the web root. Additionally, access should be restricted to only the applicable site content, with all other locations blocked.
Adult Friend Finder – round 2
Nearly 400 million accounts on “grown-ups only site,” Adult Friend Finder have allegedly been exposed in what is believed to be the biggest security breach of its kind.
The attack, which took place in October, resulted in email addresses, passwords, dates of last visits, browser information, IP addresses and site membership status across sites run by Friend Finder Networks being exposed.
The scale of the hack, which was first reported last month, has only now been revealed by stunned data experts who said it is “the largest breach we have ever seen.”
It is the second major leak of private user information in less than two years — and it even contains details of deleted accounts over the service’s 20-year history.
Sister sites — Penthouse, Stripshow and iCams — have also been skimmed of user data, in what cyber security specialists have said is a hack that “raises serious alarm bells.”
In total, nearly 340 million user’s accounts on “the world’s largest sex and swinger community” are said to have been exposed.
According to Adult Friend Finder, “we did identify and fix an issue that was related to the ability to access source code through an injection vulnerability.”
An underground researcher named “1×0123” posted images on Twitter, of a Local File Inclusion vulnerability found on Adult Friend Finder’s servers prior to the hack. This kind of vulnerability can be used to insert files on the server, to print data to the screen, or execute malicious code.
Shockingly, nearly 16 million deleted accounts from the Friend Finder Network’s roster of sites were released — raising questions over why the company kept the details of former users.
In another serious blunder, passwords were either totally visible or badly encrypted in a method that is not considered secure, allowing for easy access to the stolen data.
What our experts say:
Learn from your mistakes – in May 2015 the company was hacked, and according to David Kennerley, director of threat research at Webroot, the attack was incredibly similar to a breach it suffered a year prior.
It appears to not only have been discovered once the stolen details were leaked online, but even details of users who believed they deleted their accounts (after the first breach) were stolen again.
Over 99% of all the passwords, including those hashed with SHA-1 (a cryptographic hash function designed by the United States National Security Agency), were cracked by Leaked Source, meaning that any protection applied to them by Friend Finder Networks was wholly ineffective.
Leaked Source said: “At this time we also can’t explain why many recently registered users still have their passwords stored in clear-text, especially considering they were hacked once before.”
When you are storing sensitive client data such as passwords, they should be sufficiently hashed and salted, so that in the event of unauthorised access, the passwords would be extremely difficult to crack.
With regards to deleted accounts, once the user deletes them, organisations should purge them from the databases. There is no reason to store former user data.
We can’t say for certain whether or not they have appropriate procedures in place to ensure secure coding practices are adhered to, and web servers and services hardened, but if they don’t – they should. Regular penetration-tests across all of their web apps, periodically, by alternating vendors would also go a long way to detecting vulnerabilities before they are exploited. And, of course monitoring what people are saying on Twitter also helps.
Jarryd Hayne – cyber security talk
Jarryd Hayne, an Australian professional rugby league player for the Gold Coast Titans, found himself at the centre of a ‘porn on the big screen’ fiasco.
He was presenting a seminar about cyber awareness at a Gold Coast high school, focused on wireless security. During the talk — given to 200 students — pornographic images were accidentally shown on the big screen, much to the shock and amusement of the attendees.
Both Hayne and Norton Security, the company that organised the talk, said the pictures definitely did not belong to the NRL star, and were in fact placed there by someone else who had access to the WiFi (which was not secured with a password).
Norton created a demo using an open wireless network with no security. Although this may have been intentional to allow them to demonstrate security issues, they should have taken additional precautions.
What our experts say:
If you are presenting, particularly on security, ensure that you are taking the necessary precautions. We’re all for educating people on security issues, and our team speak at multiple events and run live demos, but Norton should have set up a demo highlighting wireless security issues using a network with a key or limited to certain devices. This would have ensured that only their interception of the data would be shown. It also would have blocked access to anyone else who was just “mucking about” or wanting to cause embarrassment.
Yahoo – a breach 2 years old
UPDATE: 16 December 2016 Yahoo has just released details of ANOTHER hacking attack – this time compromising twice as many accounts as the record hack it disclosed in September. If you have a Yahoo account we advise you to change your password! More details here.
On September 22, Yahoo admitted that some 500 million accounts had been stolen by hackers, including encrypted passwords, names, phone numbers and email details.
The breach actually occurred two years prior, but Yahoo only discovered the theft some weeks before the public announcement. Beyond these bare details, not much else is known — a situation that has produced a cascade of questions and allegations. For instance, Yahoo has not disclosed an exact timeline indicating when it learned about the breach. It has however, stated that the theft was perpetrated by a “state-sponsored actor,” though it provided no technical details to support this claim.
An information-security firm, InfoArmor, has published strong evidence that Yahoo’s data breach was not conducted by a state-sponsored group but rather by private hackers (it calls them Group E), who are selling Yahoo customer data to other criminal groups (and in one instance, to a state-sponsored group). InfoArmor claims that it has been tracking Group E for three years, as it has been selling purloined data for substantial sums.
As there is no information available on how they got in, at least not publicly, nobody knows where the issues lie.
According to a former Yahoo insider, the architecture of Yahoo’s back-end systems is organised in such a way that the type of breach that was reported, would have exposed a much larger group of user account information.
All of Yahoo’s products use one main user database (or UDB) to authenticate users. This means that when people login to products such as Yahoo Mail, Finance, or Sports the login information goes to one central place to ensure they are legitimate, allowing them access.
According to the insider, the database is huge. At the time of the hack in 2014, it contained credentials for roughly 700 million – 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn’t been deleted.
What our experts say:
Ensure you are segmenting out databases, particularly for customer data, so that an exposure of one database does not compromise multiple sets of data.
Additionally, a multilayered approach to security and regular penetration (otherwise known as security best practice) needs to be adhered to.