Security blogger, Brian Krebs, posted yesterday that identity theft protection firm LifeLock — a company that’s built a name for itself based on the promise of helping consumers protect their identities online — may have actually exposed customers to additional attacks from ID thieves and phishers. Security firm Symantec, which acquired LifeLock in November 2016, tookLifeLock.com offline shortly after being contacted by KrebsOnSecurity. According to LifeLock’s marketing literature as of January 2017, the company has more than 4.5 million customer accounts.
Neill Brookman, Head of EMEA Pre-sales at Janrain:
“It is ironic that a company promoting their services to consumers to protect against data breaches implements such a basic form of security to manage the user records, allowing a data breach. Using a sequential ID for each consumer record rather than a GUID (globally unique identifier) suggests they have poor development standards and no proper testing or quality control.
“The use of a sequential ID or email should never be used as an identifier in an application, as it is open to phishing attacks and very insecure. Consumers need to be educated and become more vigilant when signing up to services like LifeLock by checking the URLs presented as part of registration and management, and cancel the service immediately if it appears that a sequential number or their email address is used in the URL.”
Rich Campagna, CMO at Bitglass:
“LifeLock’s misconfiguration is yet another example of how an unknown vulnerability can pose a major threat to data security and brand reputation. Enterprises need to have visibility across their networks, cloud services, and devices in order to prevent and monitor for these kinds of risks. This data leak could have been avoided by using data-centric security tools that can ensure appropriate configurations, deny unauthorized accesses, and encrypt sensitive data at rest. Because LifeLock failed to utilize such a solution, millions of customers have had their data exposed, become more vulnerable to highly targeted spear phishing campaigns, and lost trust in a company dedicated to keeping their data safe.”
Mark Weiner, CMO at Balbix:
“The exposed email addresses of LifeLock customers unfortunately does make them easy targets for those engaged in spear-phishing. Not having broad visibility into the breach risk across an enterprise’s entire attack surface continues to be an issue for most organizations, and attackers are waiting for opportunities like this to strike. When an enterprise is not thinking proactively, misconfigurations such as this are easily missed. LifeLock may also suffer some brand reputation damage due to the bug as well.”
Chris Stoneff, Vice President of Security Solutions at Bomgar:
“Regarding the possibility of spoofing LifeLock, this just seems to back up what I have always done: No matter who the vendor email appears to come from, don’t click on links or call the numbers in those emails. If I have a relationship with the vendor already, and there is an interesting offer or message, call the company directly or go to their website directly and talk to the vendor directly.
When you get an email that isn’t digitally signed (even then, maybe!), you don’t know what you are getting.
In this world people want easy access and one-click type protection, but convenience means one throat to cut in order to get all the information we want. That makes companies that collect this information exceptionally high value targets. It’s not surprising that they got hit, it is surprising it took this long.”
Pravin Kothari, CEO at CipherCloud:
“It is a bit ironic that LifeLock is a security company focused on helping 4.5 million consumers protect their online identities. They need to be on top of cyber defense best practices. Brian Krebs revealed a web implementation at LifeLock that seems to have allowed anyone to harvest millions of the LifeLock subscriber emails. The LifeLock team should know better. Krebs describes a web team that “lacked a basic understanding of web site authentication and security.” This poor set-up seems to have allowed anyone to harvest all of the LifeLock subscriber emails, potentially for a phishing campaign or worse. No one seems to know how many, if any, of the emails have been harvested for some nefarious purpose.
How could this have been avoided? Do what the financial industry does. They regularly hire white hat hackers to penetration test their network and external defenses. This is exactly the sort of incorrect set-up and misconfiguration a reputable penetration tester would have likely discovered. It would have been quietly fixed by now – no harm, no foul. All of this hoopla over the huge potential exposure of LifeLock customer data was totally avoidable.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“The website vulnerability is a bit embarrassing for a company devoted to protecting people’s online identities, especially because it’s such a rookie mistake to make. That being said, it wasn’t particulary severe and was patched before any real harm was done, according to Lifelock. The company says that page is managed by a third party to allow recipients to subscribe and unsubscribe from emails and was not part of the member portal. Lifelock stated, “We have no indication at this time of any further suspicious activity on the marketing opt-out page.”
Had hackers found out about the vulnerability before a security researcher did, the consequences could have been greater, but no other information besides email addresses was at risk. A breach could have resulted in a spear phishing campaign against Lifelock users through those emails.”
Mounir Hahad, Head of Threat Research at Juniper Networks:
“This is a poor programming practice, not a misconfiguration. On a positive note, it’s good that only email addresses were leaked. These are still valuable, but not as valuable as if names were associated with them. Single email addresses with names, or even a few hundred, might not have much street value on the dark web, but a list of several million could fetch a few thousand dollars.
The trouble begins when these email addresses and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013. From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers.”
Willy Leichter, Vice President of Marketing at Virsec:
“It’s bad enough that our personal information is under assault, but we also have to be extremely wary of companies that are exploiting attacks to drum up business. It’s inexcusable for a company like LifeLock to have anything but the most resilient systems and security practices. These companies are storing far more personal data than the average retailer – multiple credit cards, SSNs, banking accounts, address info and more in order to monitor unauthorized use.
Attackers who penetrate these services can hit the jackpot of personal data in a one-stop shop. Services like this can be valuable, but look for vendors with no hint of compromise – not just large advertising budgets.”