Tuesday 10 February 2015

Sweating Like a Moonpig and Other Data Security Lessons

Here is an article I was asked to write for a magazine regarding the Moonpig incident, which was republished on the work blog here: http://www.mtibytes.com/post/Sweating-Like-a-Moonpig-and-Other-Data-Security-Lessons

It has now been widely publicised that Moonpig, one of the UK’s largest personalised greeting card companies, had a major security vulnerability in its website, which remained unfixed for 17 months. Despite being notified, the company chose not to act for the better part of 2014, leaving the personal data of 3 million customers (including partial credit card details) exposed to the public.

The vulnerability in question is fairly basic and relates to the way individual users are authenticated. For months, the lack of authentication in place allowed access to any users’ accounts by connecting with the Moonpig servers via the API and simply tweaking the customer ID numbers sent in API requests. Without any further authentication, this tactic could have been replicated by hackers 3 million times with a simple piece of software in order to steal personal data, including names, addresses, and credit card details.

Widespread consequences
One critical lesson from Moonpig’s vulnerability is that data security does not end when the user logs off. Often all that is needed to take control of someone’s entire digital life is a billing address and the last four digits of an associated credit card number. Once a threat is identified, inaction on the part of the service provider can prove just as devastating as causing a security hole in the first place. Moonpig may not have directly leaked their customers’ data, however they made that data directly accessible to any eager parties, capable of writing some simple code.

The ramifications aside, Moonpig severely jeopardised its customers’ trust. As custodians of customer data, companies that process payments have an ethical obligation to fix basic security issues within a reasonable timeframe. Moreover, they have a legal obligation to protect that data. In the case of Moonpig, Price should have contacted an enforcement authority like the Information Commissioner instead of going public with the vulnerability.

Next steps
Moonpig’s API vulnerability highlights an area that is poorly documented and routinely overlooked in security testing, but there are easy steps that can mitigate against this threat, such as patching operating systems, applications, and known vulnerabilities. When developing code, many organisations believe that a code review or penetration test is sufficient on application completion, however developed applications are often a work in progress, with many subsequent bug fixes, code changes, additional features, and functions added. It is thus necessary to have on-going code reviews during the development cycle, with a code review and penetration test on completion at each stage. In effect, the code review has to be as agile as the development itself.

Many threats and vulnerabilities reside within organisations for months or even years before discovery, and when they are revealed, it is often a third party that blows the whistle. Even after several warnings of the code vulnerability within its Android application, Moonpig seemingly chose to do nothing to resolve the issue. From banks to greeting card companies, when customers give out their data they trust that the vendor will take appropriate measures to encrypt and safeguard their personal information. As the threat landscape changes, many organisations do not seem to have the agility to uphold this implicit trust.

Saturday 7 February 2015

Explaining Malvertising to a five year old [Link - TechWeek Europe]

I was asked to write a piece about explaining Malvertising to a five year old.  Here was my response:

“You've probably used, or seen someone use, a website. It may have been to find out information, play games or send emails. The websites cost money to make and to have it available for people on the Internet.

“One way that owners of websites pay for it is to have adverts on the website. You often see these on the top or to the side of bits you want to read. If you click on the advert and buy something, the original website owner is paid a small amount of money. Malvertising is when bad people take control of the adverts, so when they are clicked on, your computer downloads a bad program called malware. Malware can collect important information from your computer and send it to people who shouldn't have it, hide your things and ask you to pay to unhide them, or even just break your computer. It is nearly impossible to tell the difference between a genuine advertising site and a malvertising site. The best way to prevent this is to run programs called anti-virus or anti-malware.”

The article can be found here: http://www.techweekeurope.co.uk/e-marketing/how-explain-malvertising-161382