Blog

Description

5 minutes
7 October 2021
7 Devastating Cases That Could Have Been Prevented By Security Testing

7 Devastating Cases That Could Have Been Prevented By Security Testing

 

Over the next five years, experts at Cybersecurity Magazine expect global cybercrime-related costs to rise annually by 15% and hit $10.5 trillion USD by 2025. The danger is looming, but there’s a way out of every situation, and you can prevent your individual costs. 

In order to create a clearer picture of cybercrime and to prove that there’s a solution, we’ve decided to draw some real-life examples. Our team prepared 7 cases where the lack of security testing has led to huge corporate losses and devastating data breaches. At the end of each story, we will explain how it could have been avoided.

Among the methods that will tell you how to prevent hacking: 

  1. Penetration Testing  
  2. Social Engineering
  3. Awareness Training
  4. Network Penetration Testing 
  5. Red Teaming
  6. Vulnerability Scanning 
  7. Live Hacking
  8. Computer Forensic 

1.  Marriott

marriot international

  • What Happened? 

On March 30, 2020, the hospitality industry giant Marriott announced a data breach for the second time in two years. The incident had exposed the personal data of about 5.2 million guests, which included phone numbers, emails, and even the names of the companies they work for. As it was later announced, the data leak was caused by hackers who gained access to the accounts of two franchise employees. 

  • How could it have been avoided?

Since the official version regarding how hackers broke into the system is still unknown, we have highlighted 3 ways of preventing such data breaches. 

  1. If the error was in the system - Penetration Testing 

Trained cybersecurity experts could have tried to penetrate the system as hackers and detect the vulnerability related to employee accounts. Its early detection would have resulted in subsequent elimination and prevention of the data breach. 

  1. If the problem was caused by employees - Social Engineering and Awareness Training 

It would be foolish to dismiss the option of the employees involved in the data leak. In that case, we know two cybersecurity services that could have saved the day. First, the company could have held an Awareness Training for its employees to familiarize them with the menacing cyberthreats and update the corporate security policy. Then, with the help of Social Engineering, test their employees by purposely provoking them to leak the corporate data. This will teach a team cybersecurity awareness and help determine the weakest link among them. 

 

2. TK Maxx

tj maxx

  • What Happened? 

This severe situation occurred in 2005, at a time when hacking wasn’t as regular as now. Hackers stole the credit card information of at least 47 million TK Maxx customers by breaking into the retail company's wireless LAN.

  • How could it have been avoided?

This case would not have occurred if they had done a Network Penetration Test. Through checking the safety of the corporate network, penetration testers can recommend ways to improve it. For example, fixing bugs and introducing new security policies or procedures.


3. My Fitness Pal

my fitness pal

  • What Happened? 

In February 2018, MyFitnessPal, operated by UnderArmor, became a target of one of the gigantic knowledge dumps of 16 compromised pages that leaked 617 million user accounts on the Dream Market. 

  • How could it have been avoided?

The MyFitnessPal team's main problem was that they couldn’t react to the data breach properly. Their reaction could have been faster and much more effective if they implemented Red Teaming. Red Teaming is a process in which hacking experts try to penetrate your system in order to test your reaction time and ability to solve a problem quickly. This way, the My Fitness Pal team’s ability to detect, respond and prevent sophisticated threats can be assessed and improved.

4. Twitter

twitter

  • What Happened? 

In May 2018, 330 million Twitter users were forced to change their passwords due to network errors. Their accounts passwords were stored unmasked in an internal log, making all user passwords accessible to the internal network. 

  • How could it have been avoided?

A great solution to this kind of situation is Vulnerability Scanning. Vulnerability scanning is an automated method of identifying and classifying possible exploits in network equipment, operating systems, and applications. This is achieved by testing the same fields of attack used by both internal and external threat factors. By doing this, the company could automatically detect a possible problem with the network and secure it. 


5.  Adobe

adobe

  • What Happened? 

In October 2013 internal ID, username, email, encrypted password, and password hints of Adobe users were breached. Over 150 million people were affected by it. The problem was that the used script had flaws and was too simple to exploit. 

  • How could it have been avoided?

All of the security methods mentioned are relevant in this case. But the company could have understood the basic rules of security if it had attended a Live Hacking event. Attending a Live Hacking event means seeing the hacking process. If the company had seen how easy it is for hackers to hack a weakly protected script or participated as a target for white hat hackers, the company would clearly see its system flaws and improve quickly. 

6. Zynga

zynga

  • What Happened?

In September 2018, Farmville game creator Zynga was hacked. The database of more than 200 user accounts was stolen (including emails, phone numbers, and users’ Facebook IDs). 

  • How could it have been avoided?

Similar to the Adobe case, the cyberattack could have been avoided by several cybersecurity services. But this time we want to suggest a solution that can help you get back on your feet after an attack - Computer Forensics. Computer Forensics is an analysis of the cyberattack that already occurred. Experts research the exploited system, computers, networks, etc. in order to find the cause of the cybercrime and trace who was responsible for it. This investigation would be helpful as evidence in court. 

7. Heartland Payment System  

heartland payment system

  • What Happened?

A hacker made a SQL injection into the Heartland Payment System and stole100 million card transactions per month. Everything was refunded thanks to Visa and Mastercard in January 2009. 

  • How could it have been avoided?

The breaches were made by an SQL injection. This can be prevented with Web Application Penetration Testing. Web framework penetration testing helps an organization build good authentication and session management capabilities, strengthen access security, and determine the most vulnerable route an attack could take.

Conclusion 

We recommend entrepreneurs lowering their risk of being a target of a cyberattack. A cybersecurity test for businesses should be conducted at least 2 times a year to prevent possible cases like those above. But as you have read above, your system isn’t the only place that may contain errors. Make sure to train your whole team in order to eliminate human error. 

Take your first step towards a secure digital presence with our special offer - Free Scanning of Your Website. Contact us and be safe straight away! 


 

Share this post:
7 October, 2021

Recent Posts

Pentesting Methods That Will Secure Your Android Phone
Double Penetration Testing Benefits with Grey Box Testing
7 Devastating Cases That Could Have Been Prevented By Security Testing
6 minutes
7 October 2021
Pentesting Methods That Will Secure Your Android Phone

Pentesting Methods That Will Secure Your Android Phone

Mobile apps have grown to be one of the most significant parts of our daily life. Smartphones are one of the prime ways of accessing the internet in most of the leading and developing countries. Therefore, enterprises possess a lot of their user’s private data that they owe to keep in private.

Considering how deeply IoT devices are integrated into our daily lives (and lots of these devices run on the Android OS), the danger of losing access to our data is only growing. Take for example this massive mobile app data breach in 2018. As a result of the attack, Air Canada claimed that hackers gained access to their database containing passport numbers, expiration dates, frequent traveler NEXUS numbers, and birth dates of up to 20,000 users. Most of these are sold on the Dark Web, creating a significant risk of identity theft. Cyber-attacks can significantly damage an organization which further affects the entire working process.

example of a massive mobile app data breach

Two principles we highlight at ByteSnipers is safety and convenience. Usually, tech companies want to offer the best UI and customer experience, but at ByteSnipers we think it is equally important to build a robust and secure application.

An efficient way to enhance app protection is to identify all the vulnerabilities and fix them regularly. Today, we look at the importance of regular updates and releases. This guide offers a repeatable procedure for organizations to follow that is key to avoid being the victim of a cyberattack.

Android security threats

According to Verizon's 2019 Data Breach Investigations Report, malware consistently ranks as the least common method to attempt a data breach, falling behind even physical assaults. This is due to both the existence of mobile malware and the security built into current mobile operating systems.

Let’s take a look at the easily ignored threats when it comes to security.

most common android security threats

Data leakage

As sad as it sounds, data leakage is widely seen as among the most troubling corporate safety threats in 2019. Remember the almost non-existent risks of contamination with malware? According to the latest study by Ponemon, when a data breach occurs, businesses have approximately a 28% probability of experiencing at least one breach over the next two years. In other words, one breach will occur in four chances.

What keeps the problem particularly vexing is that, by default, it is often not on purpose, it’s mostly a matter of users unintentionally making ill-advised choices on which apps can see and move their data.

Wi-Fi interference

Mobile devices that connect to unsecured Wi-Fi can be easily exploited. A wireless access point (WAP) or wireless network connection is not necessarily unsafe. But without any form of encryption or security protection, anyone can see the flow of data and it becomes insecure. Most of us are guilty of using public Wi-Fi without knowing whether it can be trusted. That suggests that our information is sometimes not as secure as we would assume.

How critical is this? Accordingly to Wandera’s research, nearly a quarter of devices have connected to open (and possibly dangerous) Wi-Fi networks, while 4% of these devices have encountered a man-in-the-middle assault over the last month.
 

these days its not difficult to encrypt traffic

Out-of-date devices

Smartphones, tablets, and smaller connected devices, often referred to as the Internet of Things (IoT), created a new challenge to corporate security. There are some groups of devices that typically do not come with promises of timely and continuous software updates, unlike conventional work devices. This is especially true on the Android front, where a large percentage of producers are embarrassingly unsuccessful in maintaining their products up-to-date. This applies to both modifications to the operating system (OS) and to the reduced monthly security fixes between them. Even worse are the many IoT devices that are not even built to get updates in the first place.

A powerful strategy goes a long way. There are Android devices that obtain continuous updates that are timely and accurate. It falls in the hands of an organization to build its own security network around them and maintain a safe digital environment.

Mobile ad fraud

Ad fraud may take many shapes, but malware is most widely used to produce clicks on advertisements that typically come from a real app or website user. A consumer could, for instance, download an app that provides a legal service, such as a weather forecast or an online chat. However, the app produces malicious clicks on legitimate advertisements that display on the app in the background. By far, the most popular platform for mobile ad fraud is Android. 

Mobile advertisers and ad-supported publishers are the primary victims, but ad fraud still causes damage to phone users. Usually, publishers are compensated by the number of ad clicks they produce, so mobile ad fraud steals from the marketing budgets of businesses and can deprive publishers of income.


An efficient way to enhance app protection is to reveal all the vulnerabilities and fix them regularly. Today, we look at a penetration testing technique behind Android. The list below includes a repeatable procedure for organizations to implement.

Android App Penetration Testing Methodology

android app pentesting methodology

Part 1: Reconnaissance

The early phase sets the stage for the greatest areas of risk that must be checked. The pen-testing team, therefore, needs to define the primary uses of the application in question. It is necessary to identify the data flow for possibly vulnerable areas as well as undefined libraries or functions, in addition to learning the complete spectrum of app functionalities.

Part 2: Static Analysis

In static analysis, the raw source code needs to be pushed down. This is in order for the team to consider whether any static data held in the APK can be used to crack the network security mechanism or extend the attack vector. This is achieved by decompiling the binary and the APK from the raw source code and disassembling them. Static analysis tests for, but is not limited to: Code Obfuscation, Identification and Prevention Mechanism for JailBreak, SSL Pinning Mechanism, Access Levels to Other Applications, System Secrets for Sensitive and Cleartext Application Storage.

Part 3: Dynamic Analysis

This type of analysis allows bugs to be discovered at a particular time when the software is running. This usually entails connection to the functions that intercept the traffic in real-time through proxies. Popular application bugs to monitor are authentication and authorization defects, content spoofing, memory leaks, insufficient transport layer protection, application logic flaws, and cross-site scripting.

Part 4: Findings Report

Treats should be risk-qualified via CVSS v3 and listed in a report as soon as all the flaws are identified, which will come with mitigation recommendations and specific objectives.

Seeing the business consequences and risk level of each vulnerability includes specifying the areas to be tackled first by the internal team.

Part 5: Remediation

Remediation can be done by the internal team or the security provider and will be in line with the results report's suggestions. To guarantee that vulnerabilities are fixed. An effective follow-up on these problems is required.

Not all bugs can be solved for the sake of time. Before making a decision to continue with a significant app upgrade, the company needs to consider the existing risks.

Is Android pen-testing worth the effort?

Supposedly, the safety attitude of an Android app is not focused on the modules within the app, but rather on the APIs and servers. External penetration testing with insecure direct object references and unsafe communications can help to uncover bugs that can and will be exploited by malicious hackers.

Manual penetration tests can be mixed with automated vulnerability scannings, which should take place more frequently. Since they don't take a long time, developers can integrate them into their workflow.

At ByteSnipers, we recommend businesses to follow both types of solutions so that they keep resilient and proactive about their apps' security. Contact our team to access additional info on Android pen-testing.

Share this post:
7 October, 2021

Recent Posts

Pentesting Methods That Will Secure Your Android Phone
Double Penetration Testing Benefits with Grey Box Testing
7 Devastating Cases That Could Have Been Prevented By Security Testing