When, in 2004, a former AOL software engineer stole 92
million screen names and e-mail address, and subsequently sold them to spammers
few people predicted the long line of high profile names that would follow.
Over the following ten years, Sony, Ebay, Adobe, Home Depot, Evernote and even
Apple have been just some of the companies that have suffered huge data leaks
from targeted attacks. As the amount of data we store grows, and our systems
become ever more connected it’s a problem that is only going to get worse.
However, two weeks ago there was an attack that didn’t make
the headlines. BrowserStack provides live, web based browser testing and its
database contains around half a million accounts, including personal
information and credit card details. The company’s application servers run on
Amazon Web Services, and by exploiting the shellshock vulnerability on an old forgotten
prototype machine the hacker was able to gain unrestricted access to the core database.
This however, is where the story begins to differ from those above that did
make the headlines. The copy operation the hacker used to download customer
records locked the table, and BrowserStack had monitoring systems in place that
alerted staff. As a result, the systems were locked down before the hacker
managed to download 1% of the customer records.
Although still a serious breach, without the appropriate
monitoring and alerting capability in place it would have been a whole lot
worse and BrowserStack would be joining the unhappy list of companies we quoted
above. Make sure you stop by our stand, or attend our presentation at PUG Challenge 2014 where we’ll be showing how DataPA OpenAnalytics combines VST
access and Wearable tech to ensure any OpenEdge DBA can be alerted within
seconds of a similar attack.
