MY OPINION: Massive data breaches persist as agile software development drives full hacks


Data leaks and theft are an integral part of digital commerce, even more so in the age of agile software development.

Related: GraphQL APIs spark new exposures

Most of the high-profile breaches that make headlines today are the byproduct of hackers preying on application programming interfaces (APIs) until they find a fold that brings them in. the pathways of data flowing between an individual user and a myriad of cloud resources.

It’s important to understand the nuances of these full-stack attacks if we ever want to slow them down. I had a few in-depth discussions about this with Doug Dooley, COO at Data Theorem, a software security provider based in Palo Alto, Calif., Specializing in API data protection. Here are some key points to remember:

Target the fruits at your fingertips

Today, massive database breaches typically follow a distinctive pattern: hacking into a customer-centric application; manipulate an API; follow the flow of data to access an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Capital One’s alleged hacker Paige Thompson has been charged with her alleged data breach and the theft of more than 100 million people, including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer has also been accused of stealing cloud computing power from Capital One’s account to “mine” the cryptocurrency for his own profit, a practice known as name of “cryptojacking”.

Thompson began attacking Capital One’s public applications purported to be protected by their open source Web Application Firewall (WAF) and successfully carried out a Server Side Request Forgery (SSRF) attack. By successfully hacking the client-side application, it was then able to relay commands to a legacy AWS metadata service for credentials.

Harvesting passwords and tokens is one of the most common hacking techniques. Using valid credentials, Thompson was able to access using APIs and Command Line Interfaces (CLI) to a wide variety of handy fruits stored in S3 buckets with valuable data. She then pulled the data to her local machine and openly bragged about her escapades in hacker forums, Twitter, and even posts in her Github repositories, which led to her arrest by the FBI.

The dinner bell rings

Regardless of her motivation, when Thompson decided to leverage Capital One’s application and cloud security stack, she resorted to proven tactics used by ethics researchers, as well as hackers. The former spend their time flushing out application security flaws and correcting them, the latter search for vulnerabilities – and exploit them – for malicious reasons. Both simply take the easier route to reap the rewards at hand.

And in today’s open, decentralized software development environment, there are countless paths to vast orchards of ripe fruit. Indeed, companies do everything they can to quickly deploy minimally viable software. They ask the best and brightest developers to tinker with modular snippets, i.e. microservices, which are then stored in software containers residing in cloud storage. This collaboration is done by members of distant teams working remotely.

The idea is to learn as quickly as possible whether something works or fails. Then the developers iterate and patch on the fly, resulting in dramatic innovations, but also the need to continually update and release patches. And all of this frenetic activity is made possible by a growing reliance on APIs that serve as conduits for two software applications to exchange information.

This is the essence of digital agility. An extremely nimble and dominant media streaming company like Netflix makes hundreds of software changes every day in this way. In any industry, any organization of any size that hopes to stay competitive must innovate and remedy in much the same way.

However, anytime a business deploys a new application, releases a service pack update, or requires a security patch to be installed, it’s like a bell that rings for both ethical researchers and business people. hackers, Dooley told me.


“When a company rolls out a new service or says, ‘Hey, my app has some issues that need to be fixed, please put these things into your codebase,’ that’s a signal for hackers to go and review these features. and these features. to see what’s in there that they might be able to compromise, ”he says.

This makes perfect sense. The newer the code, the less likely it is to be hardened in terms of security, especially given how agile software development is designed to be continuously iterated.

In a sense, software updates and security patches help hackers overcome the growing complexities of a sprawling software system. A single API can allow connections for 1,000 or even 10,000 operations. So a software update or security patch directs the hacker to the most recent eight or 10 operations that are likely to be the least enforced, Dooley says.

A few steps behind

This logic is repeated over and over again. When Microsoft rolled out a new Bing mobile app for Android and iOS, it attracted ethical researchers and threat actors. Shortly after, WizCase analysts discovered that someone had successfully removed the password protecting the underlying Elasticsearch database supporting the new Bing app.

This meant that Bing servers running on Azure Cloud had been left unprotected for several days with some 6.5 terabytes of research data accessible to anyone with modest computing skills. This exposed data included search terms, GPS coordinates, lists of URLs visited, and unique device identifiers for users of the Bing mobile app.

More recently, WizCase revealed a massive data breach in the underlying database of the popular mobile game Battle for the Galaxy. In this case, a weakly protected Elasticsearch server owned by AMT Games exposed 1.47 terabytes of data, including player email addresses, IP addresses, and Facebook data. Someone actually circulated a link making this unencrypted data available to anyone who had the link, without needing a password or login credentials.

The abstract image of the hacker runs his hand through a laptop screen to steal the data in the form of binary code. the concept of cyberattack, virus, malware, illegality and cybersecurity.

The work of ethical hacking groups, like WizCase, is commendable. However, let’s not overlook the fact that the good guys are often a short walk away from the bad guys to answer the dinner bell every time it rings. In breaches of the Bing mobile app and AMT games, massive caches of sensitive personal data were very quickly located and exposed by malicious hackers – exploits which were later discovered and disclosed by the White Hats of WizCase after a few steps back.

What is happening is that companies are coming up with new features and software fixes without automating security analysis and remediation before it goes into production. As part of the pursuit of data monetization, organizations are paving the way for new orchards of highly profitable information stores for customers and business partners.

“They say to hackers, ‘Hey, I just showed you a bunch of new features running on new databases and new storage compartments on API-based cloud services that probably aren’t fully locked down yet. Says Dooley. “And it would be good to assume that the authentication and authorization components are probably not fully verified either.”

Obviously, the pursuit of digital agility expands the attack surface deeper than one might have imagined. More proactive management of this highly dynamic attack surface must happen, and soon. I will monitor and continue to report.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to educating the public on how to make the Internet as private and secure as it should be.

(LW provides consulting services to the suppliers we cover.)

*** This is a syndicated Security Bloggers Network blog from The Last Watchdog written by bacohido. Read the original post at:


Comments are closed.