Happy New Year!
While you and I may have taken some time off to enjoy the holiday season, security professionals kept busy. We ended 2013 with a steady stream of revelations involving the Target breach, and now we’ve welcomed 2014 with the news of two social media-related breaches.
As I was pretty much offline during the holiday, I first heard about the Snapchat breach yesterday while watching the 6:30 national news broadcast. As Kevin O’Brien, director of product marketing at CloudLock, explained to me in an email:
A website (SnapchatDB.info) posted the personally identifiable information (PII) of nearly 4.5 million Snapchat users, including usernames and phone numbers. The website, now suspended, made it possible for users to both download the entire database in SQL and CSV format, as well as to query it for usernames or phone numbers.
This morning when I returned to my computer, I heard the news that the Syrian Electronic Army attacked Skype’s social media sites. According to Computerworld:
The attack on Skype's social media accounts appears to be linked to disclosures through newspapers by former U.S. National Security Agency contractor Edward Snowden that Internet companies allegedly provide the agency real-time access to content on their servers for surveillance purposes.
As TK Keanini, Lancope’s CTO, told me in an email, the two attacks aren’t related in any way beyond both involving social media as the primary target. The Skype attack was the compromise of Skype’s social media and the Snapchat hack disclosed user information. Yet both attacks should serve as important reminders about security and social media.
In regards to the Skype attack, Keanini warned that keeping social media accounts secure isn’t as easy as it seems, especially if you are outsourcing the staffing of these sites or you have multiple employees who are required to provide content to the corporate social media site. The more people with access and the further you go from inside IT or security department control, the more at risk the site is. Strong policies, particularly those involving login authentication, should be in place and enforced.
The Snapchat breach may appear to have little to do with enterprise. It is a tool that is popular among young people, and I’m not sure how much it has been incorporated into corporate marketing schemes (yet, because I’m sure it will). But the concerns raised by the breach should be taken seriously by the business world. The hackers purposely exploited a weakness in Snapchat’s software, and while Snapchat created a patch for the vulnerability, the damage was already done. And, as Keanini added:
The more users you have in your online system, the more attractive you are to the advanced threat. Hackers will work all day and all night to penetrate your systems and in turn, you must work all day and all night to ensure that you defend your system. At some point, product managers of these systems will prioritize security related features over all the other features in the backlog and make it happen sooner than later. Until then, there will be many more stories like this and good luck having to change your password for upward of 50+ accounts on a weekly basis.