Nearly 5 million customers including those in the US, UK, France and China were affected in a data theft that occurred at electronic toy and educational material seller Vtech. The company has suspended 13 websites following the hacking of its Learning Lodge app database.While hacked database did not contain any credit card information, Vtech said it did store the “name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history” of customers. Security experts from Tripwire, Lieberman Software, ESET, AlienVault, Rapid7, VASCO Data Security, STEALTHbits, Playrific and Balabit have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Javvad Malik, Security Advocate at AlienVault :
Personal details of adults leaking are bad but it is even scarier when children are involved. How can cybercriminals exploit this information?
“Compared to adult identity theft, the danger with a child’s identity being stolen is that they may not be aware of it until they are old enough to apply for a bank account, credit card, driving license, mortgage or job. So technically, someone could steal a child’s identity and use that information till the child is 18 years old – by which time their credit rating or other personal records may be damaged beyond repair.”
What should customers do?
“Depending on where they are based, different services may be available. It all involves remaining vigilant and proactive. Unfortunately, there is no easy way around it. Checking to see if there’s a credit file when a child turns 16, being turned down for benefits, getting notifications about unpaid bills, fines or taxes in the name of the child and following up as soon as possible.”
Any other comments?
“Companies need to stop and evaluate what data they are capturing and for what purposes. Is it really necessarily to hold names of children, birthdates addresses etc? The leak of these details can potentially impact individuals long after the company may even exist.
Additionally, video here explains how SQL injections work.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Senior Security Researcher at Tripwire :
“SQL injection is one of the most prevalent web security flaws in which the attacker is able to alter the meaning of commands relayed to a database server. This is possible when data from a web request is directly used to construct the database (SQL) query without replacing unsafe characters. Sophisticated tools exist to automate the process of finding and exploiting this class of flaw. The most prominent tool, known as SQLmap, makes it trivial for unskilled attackers to gain extensive access into a system with options including database dumping, reading/writing files, and in some circumstances even running OS commands or exploits.
There is a solution to SQL injection; programmers can use parametrized queries to thwart SQLi attempts. This technique allows the database engine to know precisely how the input was intended to be used such that there is virtually no risk of it being misinterpreted.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
Personal details of adults leaking are bad but it is even scarier when children are involved. How can cybercriminals exploit this information?
“Unless it turns out this whole hack was somehow about getting information about children, that’s probably not the part people would be scared of. The bad guys are going after anything that’s not nailed down and it’s highly unlikely they even knew they would get the details of kids. Whenever the bad guys score a heap of data like this, that doesn’t immediately pay off like a bunch of credit card numbers, it’s going to be turned around to try and crack other sites. Did you use the same username and password for your VTech account at your online bank? For your credit card? Now the bad guys know some of your secret question answers – did you reuse those on other sites so they can simply reset your password to something they know? These are the things that really ought to scare people.”
What should customers do?
“If anyone who got caught up in this breach hasn’t already learned the lesson that they should not use the same passwords and security question answers across multiple sites, then hopefully this will make that lesson sink in. Sadly, it seems that’s the only way many people will really start taking that warning seriously.”
What should Vtech do?
“Vtech is only the latest on a long list of companies that have been publically hit. Who knows how long the list would be if we knew all the ones that never hit the news or never even get detected. Vtech needs to do what every other breach victim should have done and should be doing; putting security thinking into everything they do. SQL injection, the method that bad guys used to breach Vtech, is something you can do a lot to prevent. That comes down to designing systems for security from the start and disciplined testing to make sure the designs are soundly implemented. Any shortcuts you take are the things the bad guys will use to make sure your name is next on that growing list of victims.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :
“SQL injection is one of the most common attacks to websites and should be one of the first that organisations protect against. The technique enables an attacker to insert information into a data field on a website, the data is then queried by the SQL server and potentially enables the user to interact directly with the database to retrieve some or even all of the information contained therein, basically everything stored on that server.
Data breaches are always bad news for all concerned however when children are involved the dangers are far greater. What’s terrifying here is the fact that children’s information has been stolen which could enable a third party to build a trust relationship that may enable them to converse or even befriend these unsuspecting those impacted by the breach. Birthdays, parents and grandparents names are all used for secret questions and these answers could be used for communication that could establish a conversation trail, or even worse phishing or grooming not to mention the adults information being utilised for identity theft or credit card fraud. .
Protecting against SQL injection is not overly difficult, the simplest way is to use parameterised statements. This way if any special characters are used in the query they are never parsed by the SQL engine.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tod Beardsley, Security Engineering Manager, Rapid7 :
“The Vtech breach illustrates one of the major issues facing us today. With the Internet of Things: companies of all sorts are rapidly morphing into information technology companies, but without the hard-won security learnings that traditional infotech companies now enjoy. It’s tough to be both a toy manufacturer and a mature technology company with a robust security program. This is not just a challenge for companies that are just now entering tech, but a challenge for the security industry to communicate effectively, and quickly, to these companies who haven’t yet earned their security stripes the hard way.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]John Gunn, VP of Communications, VASCO Data Security :
“As security elsewhere increases, companies such as VTECH are becoming more attractive targets. Because they are not protecting payment data, the security measures they employee are simply much easier to defeat. The hackers will not benefit immediately from the stolen data, but they will use it for other attacks – they collected millions of username and password combinations and more than half of online users use the same password for all of their accounts, including their banking account. It’s another strong argument for using two-factor authentication everywhere.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Péter Gyöngyösi, Product Manager of Blindspotter, Balabit :
“The VTech breach: sneak peek into the IoT security nightmare
“As it was reported by multiple sites, the Hong Kong-based toy manufacturer VTech was breached and a massive data dump containing the personal information and passwords of 4.8 million parents and their children became public. On top of being a massive security breach that involves under-aged kids, this incident showcases two things that can possibly go wrong if security does not evolve as the Internet-of-Things becomes more and more widespread.
“You need an account for everything.
These kids wanted to play with a toy tablet. Their parents wanted to update the device every once in a while. Just as you don’t want to set up an account to play with LEGO or to use your toaster, they probably did not want to do that for these VTech products, either. As more and more things are connected to and controlled through the Internet, it becomes less convenient or outright impossible to use a new tool without setting up an account. Having thousands of different accounts means there are thousands of places to steal your credentials from. Using single-sign-on services or a password manager to avoid password reuse becomes more and more important in a more and more connected world.”
“Usability and manufacturing costs will always trump security.
It is unrealistic to expect that security will ever be a priority in such consumer devices, especially in the cut-throat, fast-moving and highly seasonal market of child’s toys. The excellent analysis of the breach done by security expert Troy Hunt reveals that there were extremely basic problems with the security of these devices. Security was simply not a priority. Development had to happen fast, costs had to be kept low, and the user experience had to be fast and smooth as nobody wants to deal with complex IT problems after unwrapping a gift. This is not a unique situation, but hopefully, change will come, partly due to scandals like this. Manufacturers have to realize that these are not just toys but internet-connected cameras in the hands of underage children and design their security accordingly. And as users, we have to keep in mind that right now, security is a low priority for these devices and make concious decisions about what data we trust them with.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Beth Marcus, CEO and Founder, Playrific :
“People are focusing on COPPA compliance but don’t know how to secure data, which is the single most important thing in protecting the child consumer. All too often, those companies interacting with kids to entertain them focus on outward trappings, and not the sustainable internal systems to prevent hackers from getting access to potentially life-changing info on kids. Through the data access structure, it’s crucial to prevent various data pieces from being put together by any external player – even when parental permission in given.
“You have to break the link between the data and the child, and the links between the various pieces of the data vault containing different elements of the individual’s data. When kids are involved, saying “sorry we didn’t think about that” doesn’t cut it. Hackers may never exploit data the way you think they might, that’s why you can’t risk having identifying information and behavior information tied together anywhere in the system at rest.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jeff Hill, Channel Marketing Manager, STEALTHbits :
“VTech is proud that no credit card or banking information was stolen, but ironically, the data that was stolen could potentially make this breach more damaging and dangerous over the long run. A stolen credit card can be cancelled, or at a minimum, its nefarious use by a criminal quickly discoverable by today’s advanced data analytics technologies. Personal information, however, like a child’s name, birthday, and home mailing address can be used by clever and patient cyber-criminals to compromise personal information over time using highly-targeted phishing attacks that leverage the initially-stolen information. Much more disturbing, however, is the potential for child predators to obtain and exploit the children’s information. Given this, let us all hope the attacker is being honest when declaring he has no intention to sell or otherwise make public the stolen data.”[/su_note]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.