External Hacks are More Serious than You Think

If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside.  Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers.  Well guess again.  We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case.  Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer.  If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.

According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce.  Another consideration to think about is the amount of time it takes to fix vulnerability—67 days!  This known weakness heightens the situation for companies and increases the chance of a severe breach.  It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.

Follow this conversation on twitter @hyperguard

Some Rocky Times for RockYou

SQL injections are one of the biggest problems in web application security—we’ve seen it with Heartland, 7-Eleven and Hannaford Brothers, and now RockYou.  These attacks are widely known and publicized; however, it still takes companies, who have experienced attacks, 67 days to resolve these issues!

Early December, RockYou, provider of third-party apps for Facebook, MySpace and other social-networking, suffered a data breach that exposed nearly 32 million RockYou users’ e-mails and passwords.  This information had been stored in plain text and was vulnerable through a SQL security hole.  Now, Alan Claridge, an affected user, filed for a proposed class action lawsuit on December 28 for failing to properly secure his data, allowing hacker ‘igigi’ to gain access to it and failing to promptly notify him about it.

Although, we are not certain of the exact technology being used by RockYou, but if a dWAF was being used it could have prevented this hack and saved the company from this disaster.  More importantly, RockYou could have protected its’ customers’ PII (personal identifiable information).  Because a dWAF is flexible it allows patches to be applied with minimal disruption to the network—quite helpful for situations like these.

Moving forward RockYou will be further investigating the breach, reviewing its security protocols and implementing new practices:

• Encrypting all passwords
• Upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms
• Reviewing our current data security features and ensuring that they meet industry standards and best practices

To read more background on the RockYou breach check out SC Magazine’s article.

Follow this discussion on Twitter @hyperguard