Ever since the Heartbleed bug disaster, you’d think companies are becoming more vigilant with their web security plan. Recent events seem to show evidence to the contrary, with millions of users’ data left exposed to cyber-attacks on popularly used websites, including a government website and eBay.
Security flaws in Australian government website
Security researcher Nik Cubrilovic recently identified severe flaws in the Australian government’s myGov website which hosts over 2.2 million users – all accessing their private information, such as medical history, welfare, taxes and child support on a daily basis. Essentially, myGov is a Single authentication solution where users log in once and access all their government-related services through one portal.
"If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point," Cubrilovic told The Sydney Morning Herald. This is pretty alarming seeing as the Australian government seems to be aiming towards having all its services available online in the near future.
Cubrilovic found various vulnerabilities on the myGov website, including XSS vulnerabilities which allowed him to take control of user accounts (for testing purposes), and steal users’ session cookies – thus allowing him to steal further user details. The reported security flaws were, for the most part, left unchecked by the government department.
Although some of the vulnerabilities have been patched by the myGov department since they were reported on May 2, the website has been available, in different forms, since 2009 – so it is impossible to know if and what data might have been accessed by hackers.
eBay hacking scandal
eBay Inc. is the latest company to take a cyber-attack bullet! One of its databases containing encrypted passwords and other data including: postal addresses, email addresses, names, and dates of birth, was attacked. The attack was carried out in late February but was only discovered by eBay two weeks ago.
Hackers managed to gain access to a few employee log-in credentials which gave them a free pass to the corporate network. According to eBay’s statement, no financial-related data seems to have been disclosed as it’s stored separately on encrypted platforms.
You might think that if financial-related data isn’t compromised, an attack isn’t a big deal. However, taking into consideration what was exposed, hackers can still do a lot of damage – identity theft and phishing scams being the top goals for hackers in this scenario. All 145 million global users have been asked to change their passwords in an attempt to decrease their chances of having further data stolen. This plea might fall on deaf ears seeing as 47% of US online users still haven’t changed their passwords after the Heartbleed announcement – this according to LifeLock’s recent survey.
How to prevent your company’s website from making the headlines for the wrong reasons
- Implement a strict password policy across your business, where passwords have to include different character types in order to be accepted.
- Take complex passwords to the next level and implement a two-factor authentication process so if a password is compromised, hackers can’t access customer accounts from a different device.
- Invest in a vulnerability scanner that can crawl and scan your web applications and servers. Most attacks don’t leave a trace and aren’t detected until it’s too late, scanners help you find and fix exploitable vulnerabilities before hackers do.
- Remediate any vulnerabilities as soon as they’re found.
- Keep up to date with what vulnerabilities are out there and how hackers are exploiting them.
- Just keep patching – make sure all your software is regularly updated.
What online users should be doing
Online users are being shoved into a situation where they must be aware of the security risks posed when creating user accounts and have to play their part in the web security crusade.
- Passwords. This may be a broken record that everyone is sick of hearing about, but having a complex password is basically your first and last line of defense as a user. Don’t use the same password for different online accounts. Once one password is compromised, then all of them are. It is a big pain to come up with different strong passwords and then remember each one. No, writing them all on a sticky-note and leaving it on your desk isn’t what we’d call ‘secure’. There are loads of good password managers out there you can use.
- Don’t follow direct links in emails from companies asking you to change your password as these might be phishing scams. Instead, go to the website from your browser to change your password.
- Follow web security news and stay on top of the latest cyber-attack news. It’s the best way to know if your online accounts are safe.
Even huge companies with big web security budgets can be victims of cyber-attacks – no company, big or small, is immune so do your part to prevent it happening to you.