At a glance.
- Questions regarding LifeLock’s data breach response.
- Nissan customer data driven off the lot.
- Vice Society claims responsibility for German university cyberattack.
Questions regarding LifeLock’s data breach response.
As we noted yesterday, Norton LifeLock has disclosed that thousands of customer accounts were breached by hackers. Naked Security takes a closer look at exactly what might have happened, and how LifeLock handled the incident. In its notification letters to customers, LifeLock states, “[B]eginning around 2022-12-01, an unauthorized third party had used a list of usernames and passwords obtained from another source, such as the dark web, to attempt to log into Norton customer accounts. Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account.”
It’s likely the breach was the result of a credential stuffing attack, and although not technically an attack on LifeLock’s network, the incident still exposed user data and compromised customer accounts. Some critics say that LifeLock should have detected the suspicious activity more quickly, noting that twelve days passed between the increased volume of login attempts and the company’s discovery of the issue, and it was another ten days before LifeLock determined the hacking attempts were likely the result of breached data acquired from some other source. It’s also unclear why LifeLock waited until after the New Year to inform users about the event, given that they conducted their investigation in December.
Nissan customer data driven off the lot.
Car manufacturer Nissan North America has confirmed that customer data were potentially compromised as the result of the breach of a third-party service provider. According to a report filed with the Office of the Maine Attorney General on Monday, nearly 18,000 customers were impacted by the incident. In its notification letter to customers, Nissan says last June the company received notice of a data breach from one of its software development vendors which had been given Nissan customer data to use in developing and testing software solutions for the automaker.
The data were inadvertently exposed due to a database configuration error. "Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository,” the notice states. After securing the data and launching an investigation, in September Nissan determined that an intruder had likely accessed the data, which include full names, dates of birth, and Nissan finance account numbers. Bleeping Computer notes that this is not the first time the automaker has experienced an accidental data breach; in January 2021 a Git server was inadvertently exposed online with default access credentials, resulting in the leak of 20GB of company data.
Erich Kron, security awareness advocate at KnowBe4, commented on the lessons an incident like this can teach about supply chain security:
“This is yet another example of where supply chain issues can impact organizations. Nissan provided the information in good faith to an organization contracted to do testing, however that organization failed to properly secure the data. This serves to outline the contractual requirements when providing information to third parties, even when they have a legitimate need. The issue also helps towline the importance of having processes in place to validate or test potential contractors systems that will be handling your information. While it's often not an easy sell to get a contractor to allow you to audit their systems, the history of data breaches caused by this type of mishandling is a strong argument toward being able to do that. While certifications, such as SOC2, are designed to ease concerns about data handling, they are far inferior to doing an audit yourself.
“Any organization that handles your data needs to be held to a standard of protection at or above your own. This means employing the same level of technical controls and security education for employees. An unfortunate part of these types of issues is that Nissan will be associated with the breach, however the third party will likely go unremembered. Organizations need to understand that they put their own reputations at stake when working with third parties in situations such as this.”
Added, 7:30 PM ET, January 18th, 2023.
Maor Bin, CEO of Adaptive Shield, wrote to draw attention to some lessons the incident holds for other organizations.
"There are two main takeaways we can learn from the recent breach at Nissan. The first, that organizations granting external vendor access are increasing their vulnerability and risk of an attack. Security teams must constantly monitor and evaluate who has access and why. And secondly, the use of real customer data for development and testing purposes should be discouraged. Instead, organizations should strive to use synthetic data that mimics real data. We see problems arise because often, test environments are not prioritized for security and maintenance of good configuration hygiene compared with production environments. This is an Achilles' heel for security teams. Using real data in testing environments, combined with low security and minimum safeguards, leads to data leakage."
Added, 8:30 PM ET, January 18th, 2023.
Gal Helemski, co-founder & CTO/CPO of PlainID , commented that the incident should be seen as, fundamentally, a problem amenable to solution in terms of identity management.
"In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.
"Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented toward purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network."
Amit Shaked, CEO and co-founder of Laminar, sees the Nissan case as an instance of "massive, decentralized, accidental risk."
"The increasing adoption of cloud data storage technologies, the proliferation of unknown or 'shadow' data that is not kept up to date by IT and security teams, the death of the traditional security perimeter and a faster rate of change for developers have all created a perfect storm known as the 'innovation attack surface.' It refers to the continuous unintentional risk cloud data users, such as Nissan and most other modern businesses today, take when using data to drive innovation. The innovation attack surface results from the massive, decentralized, accidental risk created by some of the smartest people in business — such as what happened in this incident. Customer data embedded within the code during Nissan's software testing was unintentionally and temporarily stored in a cloud-based public repository — a mistake anyone of us could make.
"So how can organizations protect themselves from this innovation attack surface and prevent adversaries from getting their hands on sensitive company data? The key is to use agile cloud data security solutions that keep a real-time inventory of all cloud data, including shadow data, and prevent public exposure by automatically pinpointing when sensitive data is exposed. Having the dual approach of visibility and protection can prevent damages when mistakes happen."
Vice Society claims responsibility for German university cyberattack.
Ransomware gang Vice Society is making headlines again, this time taking credit for an attack on University of Duisburg-Essen (UDE), one of Germany's largest universities. The Record by Recorded Future recounts that the November incident disabled UDE’s Microsoft Office applications, internal administration systems, email, and telephone systems, forcing the school to shut down its entire IT infrastructure.
Adding insult to injury, according to a statement released by UDE on Monday, the hackers have released some of the stolen data on the dark web after the school refused to give in to ransom demands. “The University of Duisburg-Essen does not agree to their digital blackmail and does not support criminal offenses,” the university stated. The exposed data allegedly include financial documents, student information, and research papers. While the university has not identified the perpetrator of the attack, Vice Society has added University of Duisburg-Essen to the list of breach victims posted on the gang’s site. UDE is working with security and investigative authorities to verify the leaked data in order to identify the impacted individuals as soon as possible. Although UDE began restoring its systems in December, the school is still recovering from the initial attack, and a week after the initial breach the cybercriminals continued to attack some of the university’s services. UDE’s chancellor Jens Andreas Meinen says they hope to have all systems restored by the summer semester.