Published on September 27th, 2018 | by Vatsal Desai
Can You Prevent Becoming The Next Equifax?
A security incident is particularly concerning when it is associated with platforms that process data for an enormous number of users. Lost PII and/or financial data due to such incidents may be used for identity theft and monetary misappropriation. Federal agencies are consequently involved, and investigations depend on the severity, scope and target of the incident. Platforms like social media, communication service providers and financial institutions are gold mines for adversaries. In this blog post, we look at security incidents that have affected entities known for handling data of a large audience and steps that could help for better detection.
T-Mobile Open API
The T-Mobile breach of August 2018 was due to an unauthenticated API that would return account data when queried. User information like Name, Account number, Phone number, Email address, Billing address and MD5 Hash of the Base64 encoded password could be extracted. More than ~2.3 Million records were stolen before the internal security team identified and stopped the breach.
T-Mobile suffered a similar breach in 2017 when an unsecure public facing API returned Name, Email, IMSI, Account number and details associated with members of the same family. A basic script could have been written to parse through all the phone numbers for complete data exfiltration. T-Mobile could not confirm whether the breach affected a broader audience, possibly due to lack of monitoring.
BreachDetect: Traditional logging, and/or network monitoring, is challenging for API traffic as public facing APIs usually service a massive number of requests. SS8’s PXE & Sensor generate protocol summaries and meta-data that prove vital for logging API events within a very small footprint. Fact based rules and anomaly detection algorithms at SS8’s Security Analytics platform can alert based on gathered data and customized policies. Runbook procedures can then be developed to use the alert information for reactive changes on the firewall and/or application.
Sprint Internal Customer Portal
Sprint reported weak authentication for an internal portal in August 2018. This portal allowed access to customer information using a mobile number and a 4-digit pin. With no limits to the number of attempts that can be made, an adversary could bruteforce all possible PIN values for a given mobile number to extract customer information. It was found that the extracted information was sufficient to transfer ownership of the account. The internal portal was protected with a traditional authentication mechanism with weak passwords that could be found on common password lists. It is important to protect sensitive data of such nature and magnitude with role-based access controls and multi-factor authentication.
BreachDetect: Internal applications are often overlooked during security considerations; a generic mindset assumes that only an authenticated user who belongs to the organization will be able to access the data. Such assumptions miss possibilities around insider threat detection, privilege misuse and weak authentication. SS8’s Insider Threat Detect ingests network traffic and logs, it can reveal failed attempts that suggest suspicious behavior. All internal applications with insufficient controls can thus be identified and fixed.
Equifax Apache Struts Vulnerability
Equifax’s infamous breach was reported in September 2017. It was primarily due to an unpatched Apache server that was vulnerable to CVE-2017-5638. The credit agency reported that ~2.5 Million records were stolen from among ~150 Million users could be affected. Most records had PII information like name, DoB, addresses, license numbers, credit card numbers and SSN.
BreachDetect: While patch cycle delay is the root cause of this problem, certain detection techniques may help to quickly identify such issues. Apache logs would most likely fail to help in such scenarios as logging mechanisms are built to report on known instances of good/bad, while an exploited vulnerability often manages to pass as an unknown occurrence. With SS8’s network fingerprinting capability, existence of unpatched applications and use vulnerable protocols may be identified.
Friend Finder Networks
Friend Finder Networks breach of November 2016 is known to everyone. It was reported that ~410 Million accounts were affected over various applications owned by the parent company. Account details that were leaked include names, pictures, addresses, passwords, etc. Records of users from applications that were no longer being developed, and those of deleted users, were also being maintained by the parent company. The breach was primarily due to a File Inclusion Vulnerability that, along with other methods, allowed code execution for the adversary on the affected systems.
BreachDetect: As with Equifax, since a vulnerability was exploited to gain access to the systems, it is most likely a scenario that log generation could not cover. Auditing changes made by applications and services while accessing sensitive files may help to identify such occurrences. SS8’s Network monitoring capabilities provide visibility to ~1500 applications and help identify abnormal data transfers and files leaving the network.
AT&T Third Party Threats
AT&T reported a breach of security policy when certain 3rd party employees accessed customer information. The data was made available to the 3rd party allowing them to port devices from AT&T to other telecommunications providers. However, it was reported that PII data like SSN, DoB and Customer Proprietary Network Information (CPNI) was also accessible. AT&T agreed to pay $25 Million in civil penalties.
BreachDetect: The root cause of this breach is privilege misuse and inadequate access controls. Privileges granted to certain entities, the entities themselves as well as the administrators responsible for granting/revoking privileges, are subject to change overtime. Depending on how often the changes are made, it is not entirely impossible that an important configuration is overlooked. SS8’s device tracking capabilities can provide accountability for access related actions performed by systems, services and users. This is key for security monitoring. Full packet captures are not necessary as the required information is available through network meta-data and/or logs. Such monitoring capabilities help to provide proof of access, and it also facilitates retrospective inspection. Device Tracker would identify Powerful users and Shared systems. An entity with unexpected access to certain systems would then require administrator’s attention.
Verizon Open S3 Bucket
Verizon reported the existence of an open storage unit on Amazon AWS in July 2017, this unit was managed by Nice Systems. This storage unit hosted PII data of 14 million users. Customer data like name, email address, street address, phone numbers and PINs were available for download without authentication. Due to insufficient access controls, certain 3rd parties could collect and access details of 6 Million users who utilized customer care services at Verizon.
BreachDetect: With ambiguity around network monitoring for cloud services, enabling and monitoring AWS S3 access logs is key. Logs provide information on individual requests made with identity of the requester, name of the bucket being accessed, timestamps, response codes, etc. SS8’s Security Analytics platform will ingest logs and correlate the information with existing entities to identify abnormal access and insufficient security controls.
Twitter Extensive Logging
Twitter reported the existence of an internal logging mechanism with plain text passwords in May 2018. Twitter uses BCrypt as the preferred form of password hashing. Current computation capabilities allow BCrypt to be resistant to bruteforce attacks, however, certain Twitter mechanisms around this hashing scheme were flawed. It was reported that plain text passwords of users accessing the service were being written to an internal log before being hashed for storage and verification. No misuse was reported however all 330 Million users were asked to change their password.
BreachDetect: For root cause identification of such issues, threat modelling and control/data flow analysis of sensitive modules becomes necessary. SS8’s Insider Threat Detection capabilities can assist to identify data and network flow among internal systems.
Get your free copy of the following resources to see how SS8 can help. Contact us today to see what you are missing on your network.
Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.