And so it has happened again, this time with Anthem who happens to be the second largest health insurer in the US. Apparently the attack may have impacted up to 80 million customers which firstly, is rather a large number and secondly, could include some pretty sensitive data given we’re talking about an organization that holds a bunch of medical information.
It’s early days yet and organizations in their predicament tend to like holding their cards pretty close to their chests when it comes to disclosing details of the attack vector. One thing I did see that sparked some interest though was Reuters reporting that it was “a very sophisticated attack”. I always find this description in lieu of tangible information a bit of a relative term and very often, it’s a way too generous.
Recently I tuned in to watch an emerging “hacktivist” (now pretty much a term used to describe those who hack based on opportunity rather than for financial or political gain), known as abdilo livestream his attacks. He was systematically combining some pretty well known Googledorks (essentially just carefully crafted search terms) with the popular (and free) SQL injection exploit tool known as sqlmap. Do a search, find a URL, plug it into sqlmap then lather, rinse, repeat. Every now and then he’d hit on a vulnerable URL and exfiltrate any data the website had access to in the underlying database.
Having watched these guys a bit over the years, abdilo’s pattern was a pretty familiar one. He (or at least allegedly “he”) is probably not much more than a kid with time on his hands to burn. By all accounts he’s tenacious and has at least a basic grasp on how to use the tools that are so readily available, but he’s probably just that – a determined teenager looking for mischief. But rather than knocking over rubbish bins like his forebears, he was wandering around ripping off data from US education facilities.
These attacks can be fundamentally simple. In fact to illustrate the point, a couple of years back I taught my 3 year old how to use Havij, another freely available GUI-based SQL injection tool. Now I didn’t exactly then set him loose on the web to wreak havoc, but I did want to make the point that if you know how to copy and paste then you’re a good whack of the way there to mounting your very own “sophisticated cyber-attack”.
Of course to the outside world, that’s how it looks – some sort of super-hacker has breached the impenetrable fortress which we expect large organisations to have around their valuable customer data. By now though, the prevalence of attacks should have taught us that there’s enough low-hanging fruit out there of high enough value that the sophistication level required to access it may not be as high as we’d like to think. In fact it always reminds me of Arthur C. Clarke’s third law of prediction: “Any sufficiently advanced technology is indistinguishable from magic”.
We may not know the details behind the Anthem attack just yet, but I’m leaning way more towards known and well-established security flaws rather than magic!
Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security
