The home improvement site Houzz announced a data breach this week involving third-parties gaining access to a file that contains publicly visible user data as well as private account information. In an email sent to affected users, Houzz stated that an unauthorized third-party gained access to a file containing both publicly available information as well as internal account information such as user IDs, email address, one-way encrypted passwords, IP addresses, city and zip codes derived from IP addresses, and Facebook information.
Experts Comments below:
Eoin Keary, CEO and Co-founder at EdgeScan:
“Depending on the type of password storage protection used, Houzz may have dodged a bullet! If they applied “Hashed and Salted” protection using an industry recommended algorithm (bcrypt or PBKDF2 for example) they may be ok. If not, they may have a problem. Unfortunately, many people reuse passwords across multiple websites to avoid having to remember too many log-in credentials. A type of attack that exploits this common habit is called “Credential Stuffing” and can be used by attackers who have obtained email addresses and passwords. Criminals use the passwords and email addresses they “harvested” from one breach to gain access to other websites or services that contain more sensitive information. This is a very simple and effective way to access accounts across different web applications based on the fruits of an initial breach.
In order to mitigate the effects of the attack, Houzz should require users to reset their password and ask them to enable multi-factor authentication. This way, if the password is known by an attacker, a second factor of authentication is required before access is granted. Multi-factor authentication is becoming more mainstream and should be recognised as an essential security practice. Houzz has rightly informed users of the breach and hopefully will monitor access attempts to account data where applicable.
My best advice to users is: don’t reuse passwords across multiple sites. If you are, reset all your passwords now. Use a password manager and choose complex passwords or a passphrase. And if there is the option to activate multi-factor authentication, enable it!”
Todd Peterson, IAM Evangelist at One Identity:
“The reality of doing business today is that you often must rely on third-parties for key IT activities. This has certain advantages in that it allows an organisation to focus on their core competencies rather than IT activities that are outside of their main scope. However, this practice also opens up additional layers of risk. As with any IT administration activity, simply enabling an individual (or a third party) to do their job requires that they receive elevated permissions on the system they administer, and those permissions often open the doors to sensitive systems and data. This is dangerous enough with internal staff but exponentially riskier when the permissions need to be granted to a third party. Many high-profile breaches are the result of a well-intentioned third-party access falling into the wrong hands or being abused by the third party.
There are some basic privileged access management practices that can significantly mitigate the risk:
Never share the passwords – set up a system and practice of only issuing privileged credentials on as as-needed basis and only for the duration of time and the specific activities for which they are required. This applies to internal staff as well as third-parties.
Audit and monitor all activities performed with these credentials – ensure that you know what the people (including third parties) are doing with the elevated permissions they are issued
Follow the principle of least-privilege – while natively most systems require the full administrative credential to perform even the most basic task, there are technologies available (for example sudo for Unix/Linux systems) that allow you to delegate just the permissions necessary to do the job. For on-going access where a third-party is consistently required to perform specific IT tasks, try to delegate just those permission, nothing more nothing less
Use analytics – implement technologies that can detect and notify you of permissions that fall outside the norm for what is required of the third-party and that can detect when a third-party’s behaviour deviates from established patterns.
Use multi-factor authentication – perhaps the simplest way to ensure appropriate access is to shore up authentication by requiring a second factor (beyond the administrative password). Modern multifactor authentication solutions are now easy to implement, painless to use, and provide the extra level of assurance necessary when trusting your crown jewels to outsiders.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.