Face meet palm
So it’s red faces all round at security behemoth Symantec this week. But not as red as the faces at Symantec subsidiary LifeLock, a company with a mission to protect its customers from nothing less than identity theft and offering services post personal data breach.
Security researcher and former LifeLock customer Nathan Reese received an invitation to renew his account as part of an online marketing scheme, you know the really annoying ones. So anyhow, Nathan clicks on unsubscribe and noticed that doing this revealed his subscriber number. Minutes later he had written some proof of concept code and was happily pulling the subscriber numbers and email addresses of LifeLock customers.
Fortunately for these customers, Mr Reese did not use the exposed details to launch a Spear Phishing attack on LifeLock’s unsuspecting customers and ironically steal their identities and monies (mwahahaha), oh no. Unfortunately for Symantec and LifeLock alike, he decided to pass the details onto none other than the mightily esteemed Mr Brian Krebs, who after informing the companies concerned wrote the whole thing up on his very widely read website.
As you will see from BK’s piece, and on the Symantec website, they were very quick to pin the vulnerability on, you guessed it, a third party marketing company, presumably getting their coats and turning off the lights as you read this.
How many incidents of third party misconfiguration or incompetence do we have to see before people start to think a lot harder about how this sort of connectivity and access is managed? From holes in your S3 buckets (dear Lisa) to leaving APIs open for investigation by world+dog, there seems no end to this madness.
Only yesterday we were discussing application testing at ITC Towers and how it is likely that application testing tools and techniques currently used by the large enterprises are very likely to begin to be adopted by smaller business, most likely mandated by the big boys they supply.
Thorough and continuous testing for coding errors and vulnerabilities in applications is the only way forward.
If you would like your cyber posture to be assessed, to discuss application or web security testing, or indeed anything else in the muddied waters of cyber security, please contact us at: [email protected] or call 020 7517 3900. Our keen and eager, if not slightly sweaty crack team awaits your call.