The internet is growing every year. Hundreds of new applications are built and launched every day. Within organisations, many go unknown to senior staff. How many basic web applications, like contact forms, does your organisation roll out each year? These basic applications all come together to form a challenge for businesses. How do you manage the increasing web application security risk?
In today’s post I share five examples of what happens when organisations take the easy route, and ignore web application security.
1) PowerGen
Back in 2000, PowerGen left thousands of its online customers’ bank and contact details completely unprotected. When an IT consultant was trying to pay a bill online, he discovered a file that contained the names, addresses, debit/credit card numbers and expiry dates for approximately 7,000 PowerGen customers.
At the time, the leak was one of the biggest online security scares to hit the UK. All the consultant had to do to gain access to the files was change the URL a bit. The cause? Allowing private directories to be public.
2) Halifax
In 1999, Halifax had to suspend its internet-based share-dealing service after customers were able to access other people’s accounts. Not only could customers access other people’s details, but it was also possible for people to buy and sell shares within strangers’ accounts.
Whilst no one lost any money or appeared to exploit the hole, it was a public relations nightmare for Halifax and their new online share dealing service.
3) Sony
The Sony PlayStation network exploit of 2011 is one of the most famous web application security failings of all time. During the attack, attackers managed to steal personal data of 77 million registered users, 12 million of which included unencrypted credit card numbers.
Sony claims to have still not identified the source of the attack, other than that it was via a web application.
4) Heartland
Heartland’s security failure was one of the largest information security failings of all time, and occurred in March 2008. As a result of the exploit, over 100 million credit and debit card details were released. Over 300 companies had been attacked by the Malware used to expose the credit and debit card details, yet the assessment professionals at Heartland had didn’t even knew that those exact attack vectors existed.
5) Adobe
The most recent, and biggest of the web application breaches to date is Adobe’s data breach in November, 2013. During the attack, around 150 million customer records were leaked, complete with password hints.
Worse still, it turned out that Adobe was storing the data encrypted with the same hash, rather than storing the passwords hashed with a unique SALT. This made it possible for people to decrypt many of the passwords using the hints given, and identify identical passwords with the same encrypted strings.
It wasn’t long until common passwords and their equivalent encrypted strings were worked out, allowing hackers to associate email addresses with raw passwords. With many people using the same passwords for multiple accounts, this was a huge problem. For example, if you used the same password for your Adobe account, as you did your email account, and that password was “123456” an attacker could easily login to your email, and from there gain access to tens of other accounts, from social media profiles to bank accounts.
What does your organisation do to ensure web application security? Is web application security treated like a priority, or is it seen as an afterthought, to be patched in? If your organisation doesn’t take web application security seriously, it could be joining this list. The total cost of the Sony exploit was estimated by the Ponemon Institute at $24 billion. Could your organisation afford a $24bn hit to its bottom line?
