Library Technology – Reviews, Tips, Giveaways, Freeware

Oh no you didn’t: 4 of the biggest cybersecurity flubs of 2018 (so far)

Posted In Security - By Techtiplib on Tuesday, July 17th, 2018 With No Comments »

The internet is rife with criminals. Swarms of them congregate on the dark web, poking their heads up into the internet at large to cause madness, mayhem and destruction, making their money, firing a few shots on Twitter, and scurrying back underground to await the next opportunity to do real damage to websites, businesses and internet users.

cybersecurity

These criminals are innovative, relentless and increasingly successful at their endeavors. They don’t need anyone’s help to get sensitive data or cause downtime. And yet, every year some of the biggest cybersecurity disasters happen because of a simple mistake or error in judgment.

Here are a few from 2018, so far.

2018 cybersecurity flub #1: a taunt with consequences

They even famously paid a DDoS ransom back when they were a start-up in 2015, going against every expert’s advice when it comes to DDoS extortion attempts.

Three years later and ProtonMail is still struggling with their responses to DDoS attacks. After the Apophis Squad hit the service with a short attack while testing a new DDoS stresser, ProtonMail’s CTO called the group clowns on Twitter. Several hours of on and off outages followed as the Apophis Squad took aim at ProtonMail with a more sustained attack, promising to allow the network back online if Butler apologized.

2018 cybersecurity flub #2: publicly available private data

File this one under All Too Common. BJC HealthCare, a non-profit healthcare organization in Missouri, accidentally compromised the scanned insurance cards, scanned drivers’ licenses and information on treatment received between 2003 and 2009 of over 33,000 patients. If that weren’t bad enough, this information was publicly available from May 2017 to January 2018 thanks to a misconfigured server. As is too often the case, misconfigured here basically means not configured as the server did not have any security protocol.

2018 cybersecurity flub #3: making a bad thing worse

In August of 2017 eagle-eyed security researcher Dylan Houlihan spotted exposed customer data – including his own – on the Panera Bread website. As a security researcher he knew what to do and decided to get in touch with the company to submit his bug report. Since this is not the end of the story you can probably surmise that Panera Bread fumbled their response, and oh, how they fumbled.

After failing to find a proper channel for submitting a bug report, Houlihan used a cybersecurity industry connection to send information on the vulnerability directly to a high-ranking security employee at Panera Bread. His information was ignored because the security team decided it sounded suspicious in nature, accusing Houlihan of using it as a sales tactic. Once he finally persuaded the team to accept his full vulnerability report, Panera Bread proceeded to not do anything about the vulnerability for eight months until April of 2018 when Houlihan went public with his findings and forced the company’s hand. In the meantime, the records of over ten thousand customers who had signed up for online ordering were available on the Panera Bread website. All in all, a master class in what not to do when someone takes the time to inform a company about a dire vulnerability.

2018 cybersecurity flub #4: the tables turned

If you’re wondering if it’s only the good guys and gals who mess up in the cybersecurity landscape, rest assured that no it is not. Bad actors make big fundamental mistakes as well.

The people who assemble massive IoT botnets are able to do so because of weak or default security settings on devices, including usernames and passwords. So it’s somewhat thanks to irony that white hat hackers were able to commandeer the Owari botnet – the attackers behind the botnet left port 3306 open on its command and control server and used the word root for both the username and password. Live by the weak security settings, die by the weak security settings.

To err is human

In all likelihood, human beings will always be the weakest link when it comes to cybersecurity. Which makes sense, as computers are generally programmed to not screw up and humans are not programmed like that at all, to put it mildly. However, with consequences for data breaches, DDoS attacks and other cyber disasters growing increasingly serious, it’s about time we humans got it together a bit and stopped making it so easy for bad people to do bad things. They’re still going to do bad things, but let’s at least agree to make them work for it.

Author Bio:

Simon Hopes is a renowned author and social media enthusiast. Like many online services, email provider ProtonMail is no stranger to the downtime-causing devastator that is a DDoS attack.

More contents in: ,

About - Hey, this blog belongs to me! I am the founder of TechTipLib and managing editor right now. And I love to hear what do you think about this article, leave comment below! Thank you so much...