Lessons From a Security Breach

2:20 PM -- Last week, Vertical Web Media disclosed a security breach in which an attacker was able to steal customer information, including addresses, phone numbers, email addresses, credit card numbers, and expiration dates. We can learn some lessons, both positive and negative, by taking a closer look at the way the company and its president, Jack Love, handled the event. (See 'Coordinated' Hackers Steal Internet Retailer Customer Credit Cards.)

First, this is one of the best quotes I've seen from a company that suffered a breach: "This troubles us deeply... We thought our site was extremely well protected. We were up-to-date on all our patches."

It really drives home the point that just because you apply all available patches religiously you aren't necessarily secure. Malicious attackers don't have to exploit a vulnerability, such as those in operating systems or services, that are known and patched.

While a zero-day attack immediately comes to mind, that's not the only way an attacker can get into fully patched systems. They can use a variety of methods ranging from socially engineering a username and password from someone over the phone to taking advantage of a software flaw created due to insecure programming practices.

Lesson two: Be careful what you say to the press when doing interviews about a security breach at your company. I don't want to knock Love, because he was upfront and honest in his interview. But at one point, he describes how the attacker used "queries on the system that only produced information on one customer at a time." He then said he couldn't reveal how the hackers go into the network because of an ongoing investigation.

Wow! Did anyone else catch that? Exactly! I did a double-take when I read it because it sure sounds like he described a SQL injection attack just before saying he couldn't reveal the method. My guess is his lawyers and PR folks had a quick coaching session on what not to say in the future.

Finally, while Love claims that several sophisticated "hackers" were coordinating the attacks on his Website, I'm more inclined to believe it was the work of a single person. He based his claim on the fact that the attacks came from a dozen IPs around the world -- one attacked for 10 minutes, then the next attacked for 10 minutes, and so on.

Seriously, if I were the attacker, I'd find a neighborhood with several insecure wireless home networks, use Tor to anonymize my traffic, and proxy my attacks through some computers around the world that I'd previously compromised. Then, since I did it by myself, I wouldn't have to share the money I made with anyone else.

While I regularly preach about keeping patches up-to-date, don't forget about secure programming practices -- especially for Internet-facing applications. And, if you have a breach, don't ever try to cover it up (are you listening, TD Ameritrade?), but make sure you know what your people will say to the press. (See Lawsuit Raises Questions on TD Ameritrade Breach.)

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading