Two Major Data Breaches Announced in Two Days
Yahoo and Quest Diagnostic: ECPI University Expert Weighs In
It seems data breaches have become a part of daily life, but this week’s news has brought with it two hacks that remind people how vulnerable information systems and networks continue to be.
Yahoo announced it uncovered yet another data breach that occurred more than three years ago with one billion user accounts being compromised, and Quest Diagnostics revealed it had been compromised as well, resulting in the theft of personal information from 34,000 patients.
Hackers used a technique called “forged cookies,” also called “cookie poisoning,” to impersonate users without having to log in each time the user accesses a service on Yahoo’s web site. “Web applications are stateless, so credentials have to be passed between the web browser and the web server for each access,” says ECPI University Dean of Computer and Information Science Dr. Keith A. Morneau. “This information is not encrypted if you are using standard http and is passed between a browser and a web server in clear text which can easily captured and be used by hackers to impersonate a user.
“Web applications would store a cookie in a web browsers’ cache so that a user does not have to login each time they access a web site. It is pretty easy for hackers to use that information from a user’s browser because it is not secured. One way to protect this communication is to clear stored cookies from your browser regularly, make sure that cookies expire, and use SSL which is https when accessing a web site. Also, if you are developing a web application, avoid using cookies if at all possible so you do not introduce a vulnerability without realizing it.”
Just a couple days earlier, Quest Diagnostics announced a data breach affecting 34,000 people whose patient names, birth dates, lab results, and telephone numbers were stolen. Quest engineers were able to isolate the issue and apply a patch to remove the vulnerability. The web application, MyQuest by Care360, was breached on the company’s network. The web application uses Java, J2EE, jsp, and the struts framework. Apache Struts is an open source framework that employs the Model, View, Controller (MVC) architecture for server-side java web applications.
According to cvedetails.com, there have been 16 vulnerabilities uncovered in 2016 with a total of 56 since 2005 which include cross site scripting, denial of service, bypass something, directory traversal, gain information, and execute code. “Web applications are vulnerable to attacks such as cross site scripting, SQL injections, denial of service, and others,” says Dr. Morneau. “The key to staying protected from these attacks is to be proactive through constant monitoring, vulnerability scanning/penetration testing, and application patch management.
“Application patch management is not simple with web applications. It is usually not an automated process. When a vulnerability is found, the open source community must create a patch to remove the vulnerability. Web applications that need to be patched must go through a series of rigorous testing to make sure nothing breaks in the web application when the patch is applied.” Also, Dr. Morneau says organizations need to be aware there is a vulnerability in the frameworks they are using. So, there is a delay from the time the vulnerability is found until it is patched.
Sometimes organizations lag in applying patches to plug holes in an application for many different reasons. “Cybersecurity practices must be a part of the software development culture,” he says. “Organizations must practice secure coding practices to make sure they do not unknowingly create a vulnerability. Also, once a web application is deployed, they must continue to monitor the application through logs and intrusion detection and prevention systems and make sure that patches are applied when they become available.”
If you're interested in stopping data theft and ensure technology security, you could have a place in the world of cyber security. For more information about this exciting and expanding field, contact ECPI University today. Together with an experienced admissions advisor you can see if one of ECPI University's cyber security degree paths is right for you!
It could be the Best Decision You Ever Make!
DISCLAIMER – ECPI University makes no claim, warranty, or guarantee as to actual employability or earning potential to current, past or future students or graduates of any educational program we offer. The ECPI University website is published for informational purposes only. Every effort is made to ensure the accuracy of information contained on the ECPI.edu domain; however, no warranty of accuracy is made. No contractual rights, either expressed or implied, are created by its content.