Published on April 4th, 2017 | by Vatsal Desai
Breach of the Month — March 2017
If you follow the SS8 Twitter feed, you’ll know that every Friday we select a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. But we also select from these ‘finalists’ to choose a single outstanding breach each month — which was the one we chose as the March #breachofthemonth? This month’s breach threat analysis features the thoughts of engineer Vatsal Desai:
Finalist #1 — NetProspex records
NetProspex is a marketing service provided by Dun & Bradstreet (D&B). The company claims to manage and provide targeted prospect data for their customer companies. Researcher Troy Hunt blogged about a leaked MongoDB containing 33M NetProspex records that contain contact details, job roles and employer information.
Finalist #2 — CloudPets – open MongoDB
CloudPets (a “Spiral Toys” brand) refers to a leak of the data from internet-connected toys for children. The affected toys’ messaging features allow family and friends to send and receive messages via the toy and an app that synchronizes to a cloud service.
Finalist #3 — Wikileaks and CIA
On March 7, 2017, Wikileaks released the first wave (Year zero) of confidential CIA documents with plans for many more (Vault 7). Wikileaks claims to have received these documents from a former US government hacker who shared a part of an archive that contained documentation on CIA’s hacking activities.
Finalist #4 — America’s JobLink Alliance (AJLA)
AJLA is a web-based job service that links job seekers with employers. The service is offered by the Department of Labor (DOL) and managed by AKLA-TS (Technical support). AKLA-TS confirmed a data breach that leaked Personally Identifiable Information (PII) information such as names, birthdates and SSNs of users who registered before March 17, 2017. According to press reports, the adversary created an account with the web service and exploited a vulnerability that was specific to the application itself.
Finalist #5 — Three Mobile UK
Three, a major mobile service provider in UK, has now suffered two security issues in 4 months. In November 2016, user data of 133K subscribers was lost due to stolen employee credentials that allowed access to an upgrade database. In March 2017, it was reported that certain customers could access information of other customers when using the My3 app.
And the winner is:
The security savvy will understand right away the privacy risk of using this product: essentially anything that connects to the internet carries with it the potential to be exploited.
It was in December 2016 that the Shodan scanner found a MongoDB open to the internet without a set password — this was the CloudPets database that stored user data and messages from all toys. Essentially anyone could dump the entire database that contained 820K user records and 2.2M voice recordings without any authentication.
Additionally, the production and test database were open and pointed to the same IP address as the mobile app, making it easier for adversaries to find the database. CloudPets uses bcrypt to hash user passwords; while bcrypt is a slow hash which makes brute-force attempts difficult, CloudPets’ app doesn’t use a password policy which allows users to set the password to be as simple as “abc” or even just “1”. CloudPets uses the password “qwerty” in its tutorial for using the app. Eventually, certain adversaries compromised the database full of user data and demanded ransom for its recovery in bitcoin.
Security researcher Troy Hunt was one of the first to reveal this leak; his source and other reporters claim that several emails were previously sent to the company informing them of this security issue, but no timely responses were received. When the issue was finally acknowledged by the company the quote “you don’t respond to some random person about a data breach” was recorded.
Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.