TaskRabbit, a web-based service that connects freelance handymen with clients in various local US markets, has emailed customers admitting it suffered a security breach. The company has taken down its app and website while law enforcement and a private cyber-security firm are investigating the incident. IT security experts commented below.
Tim Helming, Director of Product ManagementatDomainTools:
“This is an indication of how comprehensively nefarious actors can interfere with business functions–and potentially harm users. To take control of a website and expose such trusted resources as TaskRabbit’s GitHub repository, as well as daily transaction volumes and information regarding employees, the threat actors must have had comprehensive access to the network. While we don’t yet know the specifics of how this attack unfolded, it is a good reminder of the importance of practices such as least-privilege access controls, robust network segmentation, and strong phishing controls. Organizations need to take cybersecurity seriously, particularly when it could affect the livelihood, reputation and privacy of both employees and service users.
“This attack happened because the TaskRabbit data is an interesting and valuable asset. Attacks of this nature are attempted when there is a potential gain for the attacker in this case, to monitize any personal information that can be obtained. All web applications are vulnerable, it’s only a matter of how much effort the attacker is required to expend. It’s really an economic problem where the payback has to be larger than the expended effort.
Any public facing web application that holds large amounts of personal information should have a comprehensive application security testing program in place to assess the application, it’s data stores, the infrastructure on which it runs, and the users assigned to manage and operate the overall system. Any weaknesses should be remediated in a prioritized way so that the potential for attack is reduced to the lowest possible level and maintained there. The focus should be on the economic equation, where the effort required to compromise the system is much greater than the value of any stolen information.”
The TaskRabbit hack is an unfortunate reminder of why phishing is a popular attack method as it targets human naivety. Individuals must show extreme caution to all links and attachments sent to them and have the mindset that if it looks too good to be true, then avoid it at all costs. Organisations also have a role to play in reducing the threat posed by such attacks. Take a proactive step by implementing security services that offer anti-phishing services as well as introduce training for employees to understand the consequences of clicking unknown emails. Hackers are constantly developing new tricks to dupe unsuspecting users, so organisations must adopt a pro-active stance to help reduce the threat.
“TaskRabbit is a great example of how small businesses can thrive thanks to the popularity and widespread use of apps in today’s modern world, and consumers can find services in just a few clicks. To stay ahead of the game in terms of usability and enhanced features, apps are continuously being updated. Although this is beneficial to both businesses and consumers, security must not be an afterthought and needs to be an integral part of the build process.
At WhiteHat, we are seeing practices such as DevSecOps become increasingly popular as organizations and businesses of all sizes look to focus efforts on securing their applications, but a lot more still needs to be done to achieve the security required. Because a security breach could reflect poorly on the acquiring company, there are key areas that could make your organization vulnerable to a breach, and they are often overlooked.
For example, it’s critical that the company being acquired take the proper measures to build security into their development practice, and that due diligence on the security of acquisitions of big software programs or cloud services be done. The same holds true for open source software or libraries that are being brought into your company’s development organization.
Companies should always first assume the service/application is not secure, and then apply security best practices to make sure it becomes secure as they use it to build apps or services.
Security is also important for consumers. There are some simple steps they can take to help secure themselves online:
Don’t use the same password for all sites and apps. If one site or app is breached, all of your accounts are effectively breached. At the very least, use a variety of passwords to minimize the impact.
Turn on two-factor authentication for any app that supports it. It can be a pain, yes, but it’s also one of the best ways to protect your accounts,”
ISBuzz Team embodies the collaborative efforts of the dedicated staff at Information Security Buzz, converging a wide range of skills and viewpoints to present a unified, engaging voice in the information security realm. This entity isn't tied to a single individual; instead, it's a dynamic embodiment of a team diligently working behind the scenes to keep you updated and secure. When you read a post from ISBuzz Team, you're receiving the most relevant and actionable insights, curated and crafted by professionals tuned in to the pulse of the cybersecurity world. ISBuzz Team - your reliable compass in the fast-evolving landscape of information security
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.