An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker's global supply chain, gaining control of the global system merely by knowing the email address of one of its users.
Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.
From there he found a system administrator email and logged in to their account, thus gaining "full control over the entire global system," he explained in a blog post about the hack.
[...] The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company's supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.
[...] The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed — a speedy response with which Zveare was "impressed," he said.
[...] Enterprises have work to do to in order to block the issue Zveare found, security experts say. For starters, security administrators must take a more holistic approach to security and realize the wider impact their overall security posture — or lack thereof — can have on all of the partners and customers with whom they do business.
"What are perceived as 'internal systems' to organizations, no longer are," Dror Liwer, co-founder of cybersecurity firm Coro said in an email statement to Dark Reading. "With partners, suppliers, and employees collaborating via the Internet — all systems should be considered external, and as such, protected against malicious intrusion."
[...] Among the key measures to consider include shoring up access control and user account privileges, ensuring that they only provide employees and third-parties with access to the data needed for their particular role, she notes. "This helps to control what data can be accessed in the event of a breach," Janssen-Anessi says.
Indeed, a more data-centric approach overall to security could help enterprises avoid or mitigate a scenario that Zveare demonstrated, Comforte AG's Horst observes. He advises that organizations find ways to protect data as soon as it enters their corporate data ecosystem, thus protecting "the data itself rather than perimeters and borders around the data."
(Score: 0) by Anonymous Coward on Wednesday February 15, @08:41AM (6 children)
Oh my. Lol!
(Score: 2) by takyon on Wednesday February 15, @09:43AM
The
HookerHacker with a Heart of Gold[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Informative) by Anonymous Coward on Wednesday February 15, @12:36PM
This guy? https://www.justice.gov/opa/pr/fourth-defendant-convicted-scheme-defrauded-software-company-over-16-million-worth-virtual [justice.gov] From 2016 (mentioned in the last para below):
> Anthony Clark, 24, was convicted by a jury sitting in Fort Worth, Texas, of one count of conspiracy to commit wire fraud. Sentencing has been scheduled for February 27, 2017.
Evidence presented at trial showed that Clark and three co-conspirators defrauded software company Electronic Arts (EA). EA is the publisher of a video game called FIFA Football, in which players can earn “FIFA coins,” a virtual in-game currency generally earned based on the time users spend playing FIFA Football. Due to the popularity of FIFA Football, a secondary market has developed whereby FIFA coins can be exchanged for U.S. currency. Clark and his co-conspirators circumvented multiple security mechanisms created by EA in order to fraudulently obtain FIFA coins worth over $16 million. Specifically, Clark and his co-conspirators created software that fraudulently logged thousands of FIFA Football matches within a matter of seconds, and as a result, EA computers credited Clark and his co-conspirators with improperly earned FIFA coins. Clark and his co-conspirators subsequently exchanged their FIFA coins on the secondary market for over $16 million.
Co-conspirators Nick Castellucci, 24, of New Jersey; Ricky Miller, 24, of Arlington, Texas; and Eaton Zveare, 24, of Lancaster, Virginia, previously pleaded guilty and await sentencing.
(Score: 4, Funny) by Opportunist on Wednesday February 15, @02:10PM (3 children)
No idea why this was something that sparked an "Oh my. Lol!" but you might be surprised that the majority of "hackers" are actually acting ethically.
They will report what they find to the creator of the tool that they found the flaw in and give them the time required to fix the problem and issue a patch before they release the information into the wild. The "fair vs fair" agreement between company and hacker is that the hacker gets the full credit for finding the flaw, and in return they wait for the fix to be published before they publish their finding.
That's how it works. More often than not, actually. Yes, it's not widely known. I know. But that works pretty well with most companies. And with most "hackers".
(Score: 2) by HiThere on Wednesday February 15, @02:46PM (2 children)
OTOH, it's a bit risk to notify the company. Companies have been known to prosecute (well, effectively demand prosecution) for receiving that information.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 4, Interesting) by Opportunist on Wednesday February 15, @06:12PM (1 child)
They only do that once. Afterwards they don't get that information anymore and another 0day goes 'round the world.
Most companies get wise pretty fucking quickly when this happens...
(Score: 2) by krishnoid on Wednesday February 15, @07:58PM
Many, many citations needed. Preferably in the form of multiple Aesop's fables.