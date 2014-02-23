The automaker closed a hole that allowed a security researcher to gain system administrator access to more than 14,000 corporate and partner accounts and troves of sensitive data:
An ethical hacker found a backdoor in a Web app used by Toyota employees and suppliers for coordinating tasks related to the automaker's global supply chain, gaining control of the global system merely by knowing the email address of one of its users.
Security researcher Eaton Zveare revealed this week that in October, he found the backdoor login mechanism in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal, a site used by Toyota employees and their suppliers to coordinate various business activities. The backdoor allowed him to log in as any corporate user or supplier.
From there he found a system administrator email and logged in to their account, thus gaining "full control over the entire global system," he explained in a blog post about the hack.
[...] The hack demonstrates once again how a simple, overlooked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company's supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners, security experts noted.
[...] The researcher reported the issue to Toyota on Nov. 3 and the company reported back 20 days later that it had been fixed — a speedy response with which Zveare was "impressed," he said.
[...] Enterprises have work to do to in order to block the issue Zveare found, security experts say. For starters, security administrators must take a more holistic approach to security and realize the wider impact their overall security posture — or lack thereof — can have on all of the partners and customers with whom they do business.
"What are perceived as 'internal systems' to organizations, no longer are," Dror Liwer, co-founder of cybersecurity firm Coro said in an email statement to Dark Reading. "With partners, suppliers, and employees collaborating via the Internet — all systems should be considered external, and as such, protected against malicious intrusion."
[...] Among the key measures to consider include shoring up access control and user account privileges, ensuring that they only provide employees and third-parties with access to the data needed for their particular role, she notes. "This helps to control what data can be accessed in the event of a breach," Janssen-Anessi says.
Indeed, a more data-centric approach overall to security could help enterprises avoid or mitigate a scenario that Zveare demonstrated, Comforte AG's Horst observes. He advises that organizations find ways to protect data as soon as it enters their corporate data ecosystem, thus protecting "the data itself rather than perimeters and borders around the data."