Customer details exposed at award-winning security software vendor
|
Date Reported:
9/11/10
Organization:
Omniquad Ltd
Contractor/Consultant/Branch:
Undisclosed third-party helpdesk software vendor
Location:
Online
Victims:
Customers
Number Affected:
Undisclosed
Types of Data:
"customer log-in details"
Breach Description:
”The leak of consumer data, managed by network security provider Omniquad, has been held up as an example of the data breaches that undermine confidence in online business by the Cloud Industry Forum."
Reference URL:
TechEYE.net
ComputerWeekly.com
ITPRO
Report Credit:
Dean Wilson, TechEYE.net
Response:
From the online sources cited above:
Security software firm Omniquad has been criticised and reported for a serious data breach that saw the publication of customer details online.
[Evan] This is ironic.
The company, which makes anti-malware and firewall software and is the "NetworkWorld ClearChoice Award winner" for its AntiSpy software, said a glitch in its helpdesk software resulted in the details of its customers broadcasted on the net.
Omniquad was keen to point out that the vulnerability was in a third-party software which Omniquad uses to manage helpdesk calls.
[Evan] So what?! We should cover basic information security roles and responsibilities here for a second. There are three basic roles in information security, and each role has its own set of responsibilities. The roles are "data owner", "data custodian", and "data user". Easy enough. The data owner is the person (or entity) that owns the information, in this case the data owner is the customer. The data custodian is the person (or entity) that is responsible for securing data in accordance with the expectations of the data owner. In this case the data custodian is Omniquad. The helpdesk software maker/developer does not hold a direct role in protecting the information held by Omniquad. Omniquad, as the data custodian, has the responsibility to assess the risks in using the software within their own environment. I have over simplified, but hopefully you are tracking with me here.
The exploit published customer log-in details online, but Omniquad said that the information was taken down and the system put offline as soon as the situation was discovered.
“This is not a case of negligence on our part. We have acted quickly to fix the situation and notify any customers who may have been put at risk,” said Daniel Sobstel, managing director of Omniquad. “The software has been in place for a few years and this is the first time we have had any kind of problem like this with it.”
[Evan] I don't think I would go as far as claiming negligence either, but do you think that Omniquad should have done a better job of vetting the software used in their environment? Did Omniquad conduct a vulnerability assessment, perform penetration testing, or do a code review on the helpdesk software prior to deployment and regularly thereafter? Should they have? Hindsight is 20/20, but great care should be taken by organizations in assessing the risks associated with the software they use; especially if the software in question creates, collects, processes, stores, or transfers sensitive information.
Sobstel tried to reassure customers that the majority of them would be unaffected.
He said that it would take days to exploit the published data, meaning it was only really a problem for a small number of people.
Privacy International was strongly condemnatory of the affair.
[Evan] Condemnatory is a funny word ;)
It reported the company to the Information Commissioner over the incident, while a spokesperson said: “Security and privacy should be at the core of everything they do and that includes carrying out security audits of all third-party software and services they offer.”
[Evan] Amen.
IT security needs to be proactive if it is to be effective in keeping hackers at bay or preventing accidental breaches, said the Cloud Industry Forum.
“Breaches such as this demonstrates all too well the dire consequences that follow from failing to assess the risks that come from third party software,” commented Chris Eng, senior director for security research at Veracode.
Commentary:
Comments above.
We don't know how many customers were affected in this breach, and we don't know how sensitive the exposed data was. We are probably safe to assume that customer "log-in details" means usernames and passwords. If I were a customer of Omniquad, I would probably take the time to double-check my passwords used in other places, especially sensitive locations like PayPal, online banking, etc. Now would be a good time to change passwords.
This article was posted to The Breach Blog by
Evan Francen, President at FRSecure LLC
About FRSecure
Past Breaches:
Unknown
Posted by Evan Francen at 10/18/2010 9:53 PM 
Categories: Omniquad, Bug or Configuration
Tags: third-party security security breach network security software bug data breach
Categories: Omniquad, Bug or Configuration
Tags: third-party security security breach network security software bug data breach
Posts Atom 1.0
Comments