The Grinch Who Exposed Your Kids Identities

  /     /     /  
Publicated : 22/11/2024   Category : security


The Grinch Who Exposed Your Kids Identities


5 Ways VTechs Scrooge-like security spending put young users at risk.



This article was updated on 12/1 with the latest count of children affected by the breach as
announced today by VTech
: In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.  In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate.
As news unfolds about the huge data breach at toymaker VTech that exposed personal information and passwords for close to 5 million parents and personal information on more than 6 million children, its becoming clear that sometimes the Grinch isnt the thief. Sometimes the Grinch is the company with poor security practices that makes it possible for thieves to take innocent consumers data--especially when those consumers are minors.
The VTech breach, which was first reported in a
Motherboard article last week
, seems to have been carried out not to steal the data, but to prove a point through its exposure: VTechs security stinks, and theres loads of data at risk as a result. Included in the data dump were poorly encrypted passwords, secret questions stored in plaintext and names, birthdays, photos, and chat logs for children using VTech toys that were easily tied to their parents identifiable information like home addresses.
Fortunately, the damage appears to be limited in that this attacker hasnt shared the data, but theres no way of knowing whether other attackers may have already obtained the same data, says Shuman Ghosemajumder, vice president of strategy at Shape Security. Parents in general should, of course, be very careful about who they give their childrens information to, and should watch for telltale signs that a company isnt taking security seriously.
The attention garnered by the exposure has certainly drawn the security communitys microscope over VTech and what it found isnt pretty.
 
Willful Ignorance On What Kind Of Data Is Valuable
VTech is proud that no credit card or banking information was stolen, but the data that was stolen could potentially make this breach more damaging and dangerous over the long run, says Jeff Hill, channel marketing manager for STEALTHbits, who explains that while credit card information can be cancelled, personal information cannot.
As he explains, patient criminals can stash information like names, birthdays, and mailing addresses to carry out future attacks that take advantage of initially stolen informatoin. In particular, information on minors can be seriously valuable as parents are less likely to do credit checks on their kids than on their own identities--giving attackers a longer time to use a stolen minors information without any repercussions.
Much more disturbing, however, is the potential for child predators to obtain and exploit the children’s information, Hill says.
 
Atrocious Encryption Practices
In a thorough analysis of VTechs data collection practices and weaknesses observable through its Web applications customer interface and through information from the breachs data dump, development security expert
Troy Hunt dismantled the companys data security practices
. One of the first glaring problems? VTech is encrypting all of its parent passwords using only an unsalted MD5 hash. 
Once the passwords hit the database we know they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords, they may as well have not even bothered, he wrote.
As Hunt explains, VTechs encryption at rest is second only to no encryption at all--which is exactly the route the company chose to go with for data in transit.
All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted, he says. These days, we’re well beyond the point of arguing this is ok – it’s not. 
Similarly, all data surrounding password reset questions were also stored in plaintext.
 
No Data Retention Boundaries
Beyond the crummy encryption, though, is an even more endemic data governance problem at VTech. Given the volume and variety of data breached, its clear that no thought had been given about data collection and retention policies.
Exhibit A on this is the news yesterday that chat logs were also left exposed on VTech servers
--leading most security experts to wonder why that data was even available to take.
If the firm had some kind of philosophy with regard to either collection or retention, VTech likely would have thought twice about the risk it incurred by keeping this kind of sensitive information.
You should only collect and store data for well understood use,
wrote Mark Nunnikhoven, vice president of cloud research for Trend Micro in a blog discussing the breach
. Data should be evaluated for its overall value to the organization and—just as importantly—the risk it can pose to the organization.
 
Bad Data Design
VTechs data governance woes extended beyond just promiscuous collection and retention practices. Another huge flaw exposed by this breach is the sloppy data design that allowed sensitive information about kids to be tied to even more identifiable information stored about those kids parents.
These kinds of considerations are absolutely huge for companies that collect data on children, says Beth Marcus, CEO and founder of childrens app developer Playrific.
Through the data access structure, its crucial to prevent various data pieces from being put together by any external player - even when parental permission in given, Marcus says. You have to break the link between the data and the child, and the links between the various pieces of the data vault containing different elements of the individuals data. When kids are involved, saying sorry we didnt think about that doesnt cut it. Hackers may never exploit data the way you think they might, thats why you cant risk having identifying information and behavior information tied together anywhere in the system at rest.
  
SQL-Laden Error Messages
VTech has gone on record saying that the likely attack vector for the breach was the tried and true SQL injection. Thats no surprise given the fact that the companys error messages are serving up attackers valuable infrastructure on a silver platter. According to Hunt, VTechs password error messages were returning SQL statements to users. Thats pretty much putting out the welcome mat for SQLi attackers.
 This breach is another sad example of a company ignoring some very basic application security best practices, says Chris Eng, vice president of research for Veracode. Why are websites still vulnerable to SQL injection today? The industry has known about this for decades, is one of the OWASP Top 10 most dangerous vulnerabilities and they are not difficult to find or fix.
 
 

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
The Grinch Who Exposed Your Kids Identities