CTC’s October 2018 Threat Report

Cybersecurity issues brought to light over the past month or so remind us of a very important aspect of the internet: everything is connected. No website exists on an island that is perfectly fortified against attack. And sometimes, the attacks come from a seemingly friendly territory.

The code that KO’d British Airways

An attack on British Airways’ website by a criminal hacker enterprise successfully captured personal and payment data on 380,000 customers.

All it took, according to RiskIQ, was 22 lines of code:

Image source: RiskIQ

In effect, the hackers used a digital version of card skimmer technology to lift the information they were after. The weakness exploited by the group came by way of third-party scripts used by companies to help perform online customer service-oriented actions.

The attack has reignited suggestions from some cybersecurity experts for companies to halt the practice of using third-party/external scripts for sensitive processes.

Facebook user data compromised … again

In what seemingly is becoming a recurring event, Facebook user data has again been compromised.

This time around, the social media company said hackers pulled personal information on 50 million users. From The New York Times:

“The breach … was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them.”

What Facebook was a little slower to acknowledge was the fact that this vulnerability may have granted the hackers access to any website or web-based service that users log into using their Facebook credentials. As Wired puts it: “If your account was impacted it means that a hacker could have accessed any account that you log into using Facebook.”

Facebook representatives said they addressed the vulnerability that aided the breach. They also logged out 90 million — not 50 million — users. That’s a common practice in such situations, but the discrepancy between the figures is notable.

When Facebook’s Cambridge Analytica scandal was unfolding, the company admitted the total number of users affected was 30 million. That number was revised later to 50 million. And then revised yet again to 87 million.

We’ll see if the number of affected users remains at 50 million or is revised upward — perhaps to the 90 million figure the company also cited.

Even companies that do not allow users to log in with their Facebook credentials need to be aware of the issue. After all, information pulled from the breach could aid hackers’ social engineering efforts … which could affect you.

Bringing these two situations closer to home, here are two questions they should prompt amongst all companies who collect sensitive customer information:

  1. Am I certain that our process is well protected against such attempts?
  2. Do I have that same level of assuredness with every potential partner/vendor/code source used in our process?

If your replies are anything shy of 100% certainty, now is a good time to examine your site more closely. A chain is only as strong as its weakest link. And when two massive companies such as Facebook and British Airways prove to be weak links, it’s time to examine all of your links.

We can help

CTC Technologies is ready to help protect your business from the ever-present threat posed by hackers and others. Reach out to us online or at 734-408-0200 to speak to one of our cybersecurity specialists. Then follow us on Twitter and Facebook for security updates.