First up is a breach that was four years long and resulted in 500,000,000 people impacted. What the Marriott Breach Says About Security.
Krebbs talks at length about “clueful” companies and companies with “mature security posture.” I think it’s clear that Marriott doesn’t fall into either category.
For companies, this principle means accepting the notion that it is no longer possible to keep the bad guys out of your networks entirely. This doesn’t mean abandoning all tenets of traditional defense, such as quickly applying software patches and using technologies to block or at least detect malware infections.
It means accepting that despite how many resources you expend trying to keep malware and miscreants out, all of this can be undone in a flash when users click on malicious links or fall for phishing attacks. Or a previously unknown security flaw gets exploited before it can be patched. Or any one of a myriad other ways attackers can win just by being right once, when defenders need to be right 100 percent of the time.
“How many resources you expend…” translation: it is going to cost more than you want to spend on security. But as for the downside costs…. talk to Maersk Lines, or Federal Express.
How about exposing customer information to the public internet? No password required! SKY Brasil Exposes 32 Million Customer Records
SKY Brazil is a subsidiary of DirecTV Latin America.
“The data the server stored was Full name, e-mail, password, pay-TV package data (Sky Brazil), client ip addresses, personal addresses, payment methods,” Castro told BleepingComputer. “Among other information the model of the device, serial numbers of the device that is in the customer’s home, and also the log files of the whole platform.”
They were able to fix this IN A FEW MINUTES by adding a password. These servers had been indexed by Shodan search. But hey, THEIR information hasn’t been made public. (I take it that “Payment Methods” means the credit card numbers of customers were available.)
The fact that “only” 32 million records were exposed makes this seem less important. Probably doesn’t seem that way to anyone who is impacted.
You would think an internet company would do better. And they have. Somewhat. Quora Hacked – 100 Million User’s Data Exposed.
“We recently became aware that some user data was compromised due to unauthorized access to our systems by a malicious third party,” stated Quora’s security update. “We have engaged leading digital forensic and security experts and launched an investigation, which is ongoing. We have notified law enforcement officials. We are notifying affected Quora users.
These guys seem to be reacting appropriately. And indications are that they discovered the breach fairly quickly. (Not 4 years anyway.)