You need to pity the person who came up with what, on paper, probably seemed like a sound idea: Stage a virtual hackathon that will help quickly recruit top-notch development talent.
After all, anyone who has been involved in recruitment knows that the skills an individual lists on their CV sometimes bear not even a remote resemblance to their actual abilities. The IT team said it would take three months to build and test. The HR team gave them two weeks.
And as is sometimes the case, it was a great success. And also, a total disaster: The hackathon got hacked.
It’s one of the scenarios outlined in Verizon’s Data-Breach Digest (DBD) series of reports, which cover — in a somewhat obfuscated fashion to protect the identities of the victims — real-life cases investigated by the company’s information security experts.
The DBD report on the incident (dubbed the ‘tuple-row honey’) states that it was encountered by a “growing technology consulting” business in APAC. It’s understood the company in question works in a highly regulated sector.
“That hackathon exercise was actually hijacked,” says Ashish Thapar, who heads up the APJ region for Verizon as managing principal, investigative response. “It was actually compromised – the whole infrastructure was compromised.”
“What happened was because of the huge push in terms of time to market and launching that infrastructure to start the exercise, they missed a lot of controls that should gone in,” Thapar said.
For example, there was no web application firewall in place. “This was a website on which the potential developers would log in and show their skills, solve some problems” using a simulation platform. “This platform itself was not secure,” Thapar said.
“What actually happened was an adversary actually got in and compromised the system using an Apache Struts vulnerability.”
“Using that vulnerability, this system was fully compromised,” Thapar added.
Personally identifiable information of the developers who had participated in the hackathon was exfiltrated.
The company had fallen short when it came to patch management and scanning for vulnerabilities, said Verizon senior security consultant Simon Ezard.
“It was just a case of rushing to get this hackathon out and not incorporating good security throughout the lifecycle” of the web application, Ezard said.
The IT team had known that the web application relied on a legacy framework and had intended to upgrade it after the first hackathon. And because the event was invite-only, they assumed it would be okay to briefly run the application without a web application firewall.
Verizon launched the Data-Breach Digest series three years ago as a complement to its long-running Data Breach Investigations Report. The aim, Thapar said, was to give deeper insight into the investigations that underpinned some of the findings of the annual DBIR.
“It basically focused on the data breach response activity – so for example things like the actual investigation, the containment, the eradication, notification and recovery,” he said.
Verizon sees a lot of commonalities across security breaches, Thapar added. “This report [series] is all about scenarios that we see quite often; they are sometimes complex or sometimes really reflect a lack of even basic security hygiene on customers’ part.
“Sometimes we see customers getting excited with all these new tools, machine learning and artificial intelligence and then you look at the basics — and they’re really not present. And that’s exactly what prompted us to produce this report.”
For example time and again, Verizon’s investigators find a lack of network segmentation that could help limit an attacker’s lateral movement, Thapar said.
In addition, many of the data breaches Verizon encounters involve what he likes to call the “three musketeers” – social engineering (particularly phishing), malware installation and stolen credentials. Steps like implementing multi-factor authentication, password hygiene and data segregation can go a long way to preventing many breaches, he added.
Verizon's DBDs are available online.