Durex India data breach – they should have used protection says Imperva
Reports that a Web site selling Durex condoms in India has suffered a data breach – with customers details being publicly available on the Internet – appears to be the result of business logic flaws.
“Web application hackers are focusing more and more on attacks that target vulnerabilities in the business logic, rather than in the application code,” explained Imperva CTO Amichai Shulman. “Business logic attacks often remain undetected. In fact, most business logic vulnerabilities are hard to anticipate and detect using automated test tools, such as static code analyzers and vulnerability scanners. Often, attack traffic resembles normal application traffic. Attacks are usually not apparent from code and are too diverse to be expressed through generic vulnerability scanner tests.”
“With the new Data Protection Act penalties just days away from being implemented by the Information Commissioner’s Office in the UK, and other regulators around the world adopting similar `get tough’ policies, it looks like data breaches need to look beyond basic vulnerabilities such as SQL injections,” said Shulman.
“As we’ve said in our various reports on the subject of Web site attacks, it’s always amazing that companies don’t think their site defences will be probed by increasingly sophisticated hackers, let alone inquisitive Internet users,” he added.
According to Shulman, the Durex Indian Web site security lapse was almost certainly the result of a simple logic attack using a technique known as parameter enumeration.
Organisations that fail to take seriously security for their Web sites and allied Internet services, he explained, will inevitably suffer from attacks of this type, which can be an expensive option on the regulatory front, as well as when lawsuits come knowing at their door.
“And the fall-out from this saga is that the company has now been severely embarrassed internationally, and that’s before any legal or regulatory action is involved,” he said.
“Companies need to wake up and smell the coffee when it comes to Web site security. A failure to make a modest investment at the development and implementation stages can result in considerably more cost – and damage to reputation – in the longer term,” he added.