A few days ago, Taiwanese computer manufacturer Acer disclosed that "a flaw" in their online store allowed hackers to retrieve almost 35,000 credit card numbers, including security codes, and other personal information. Most of the major personal computer retailers have online stores like Acer's, allowing people to buy directly from the manufacturer, rather than through a reseller like Amazon. But how secure are these digital outlet stores, and what are the chances that if you use them you'll end up like Acer's customers? We examined seven industry leaders with our external risk grader to see how they stacked up, and unfortunately, Acer wasn't alone in its security practices.
Like a credit score, CSTAR aggregates many factors into a single number, ranging from 0 to 950. The external CSTAR score is divided into three sections: business, communications and website. Business focuses on factors like employee satisfaction, CEO approval and breach history. Communications examines email and DNS security mechanisms such as SPF, DKIM, and DMARC. Website grades the actual site itself, looking for SSL configuration, headers, cookies and reputation.
Five of the seven organizations we scanned had sub-500 scores. These aren't minor websites, or niche markets; this is Dell, Samsung, Toshiba, HP-- name brands many people rely on, not only to provide quality products, but to engage in trustworthy business practices and protect their customer data. Of the two over 500, Microsoft's online store barely crossed the line with a 585 and only Apple, with an impressive 877, has what we would call overall good security. We'll breakdown each company's site and discover how it earned its score, what dangers its customers face, and what can be done to fix it.
Dell - 428 out of 950 - www.dell.com
Dell is the third largest PC vendor in the world, and although it has many distribution channels, its online store is heavily used. Its score of 428 places it just above Acer, but still well within the warning range. Its business and communications scores are quite good, with both SPF and DMARC enabled, but its website, where the financial transactions actually take place, only has a 223. The main reason for the low website score is that Dell does not have sitewide SSL enabled. This is going to be a recurring theme throughout this industry, but lack of sitewide SSL opens the door to man-in-the-middle attacks during the back and forth handoffs between encrypted and non-encrypted pages. Dell also failed to obscure the headers on its website, giving potential hackers information about its systems.
In January of this year, Dell customers were targeted for exploitation after a data breach revealing customer numbers and service tags allowed hackers to impersonate Dell support and acquire additional sensitive information. Dell's had other brushes with data breaches in the past, but despite all of this, its external security is still quite poor. As technology companies, this industry should be leading the way for cybersecurity, urging all organizations to step up to the reality of online business.
Samsung - 271 of 950 - www.samsung.com
With almost 500,000 employees worldwide and a hand in almost every type of consumer technology, Samsung rakes in around $300 billion a year in revenue. With a B. According to Wikipedia, Samsung's revenue is equal to 17% of South Korea's GDP. It also has the lowest rating of the field, 271, with issues in all three sections. The business score suffers slightly because the CEO approval rating is 64%. Lower CEO approval and employee satisfaction means higher risk of insider breach or other unauthorized employee access. Samsung doesn't have SPF or DMARC enabled for its domain, and doesn't use DNSSEC to protect its nameservers. Finally, its website doesn't have sitewide SSL and uses insecure cookie practices.
Companies like Samsung not only need to secure their own infrastructure, but the many devices they make and sell. How much trust can one put in the security of a device manufactured by a company whose own security is so poor? How can a company with this much money and presence lack some of the most basic and inexpensive security features on its high-traffic online store?
Toshiba - 432 out of 950 - www.toshiba.com
With a score similar to Dell's, Japan's Toshiba also falls within the warning range. Although its overall score is only 4 points off from Dell's, the way it got there was quite different. First, Toshiba's business score takes a major hit from CEO Mark Matthew's 62% approval rating and a Glassdoor company rating of 2.8. The combination of these two factors, along with the sheer size and scale of Toshiba's operation, make the company ripe for an inside breach. While Toshiba does have a valid SPF configuration for its email, it isn't using DMARC, which slightly dings the communications score. But, Toshiba's website score is over 150 points above Dell's, at 394. While still low due to the lack of sitewide SSL, it's higher thanks to obscured headers and better cookie practices.
Nonetheless, customers using sites with external ratings below 500 should be cautious, and make sure they are on an encrypted connection whenever they transmit personal information.
Acer - 378 out of 950 - www.acer.com
Acer is a Taiwanese computer manufacturer and the subject of our opening story about the recent loss of tens of thousands of credit card numbers. Acer has the second lowest score of the pack with a 378, also failing to provide sitewide SSL and other basic protections. However, other than the lack of SSL, the rest of the website configuration holds up. Acer's missing SPF and DMARC for email, which can make it much easier for someone to spoof email from them.
Chances are the "flaw" in the website that allowed the data compromise was a misconfiguration. Most outages, breaches and other computer issues are caused by misconfigurations, not vulnerabilities. And of those that are caused by vulnerabilities, most are over a year old, meaning systems were not patched in due time. It may seem mundane to grill a site over a lack of good SSL, but every "flaw" is a potential inroad for a malicious actor looking to steal and exploit data.
Hewlitt-Packard - 417 out of 950 - www.hp.com
HP is another huge player in the personal computer market and one of the most recognizable names in the space. In what is by now a pattern, HP lacks SPF, DMARC and yes, sitewide SSL. CEO Meg Whitman's 70% approval rating dings the business score as well, placing them firmly in the warning category. There's nothing new here. The industry has set a low bar for security practices and despite their size and reputation, Hewlitt-Packard is just another run of the mill tech company with bad security.
Apple - 877 out of 950 - www.apple.com
If you're an Apple fan, you're probably not surprised that Apple is the only company we looked at in this space with good security. Apple's business success is often used as proof of its culture and mission, but its cybersecurity and commitment to understanding and following (or inventing) best practices gives us an example of how the technology industry, and really all online business, should look. Tim Cook's 95% approval and the company's Glassdoor rating of 4 keep the business side strong. Apple uses SPF and DMARC, has strong sitewide SSL, obscures its headers and uses safe cookie configurations. The only thing bringing the score down at all is a lack of DNSSEC, which would tighten up security about as much as it can go at this point in time. Apple makes a lot of money and has a lot of bright people. So do the rest of these companies. Why does Apple stand out?
Microsoft Store - 585 out of 950 - www.microsoftstore.com
Finally, we took at look at Microsoft's online store, where they offer Surface tablets, Surfacebooks, Xboxes and other branded hardware. Microsoft's store comes out ahead of the pack, other than the mighty Apple, but still only finds itself in the average range-- despite having sitewide SSL. How does this happen? First of all, kudos to Microsoft for utilizing sitewide SSL, something seemingly rare in this industry. That said, Microsoft does not obscure its headers or have secure cookie configurations, knocking the website portion of its score down. A lack of DMARC nicks the communications score as well, bringing the overall score just below 600. A few easy tweaks and the Microsoft store could be as secure as Apple.
Overall, security in the personal computer outlet field is a problem. Major corporations conducting billions of dollars worth of transactions with millions of people need to take cybersecurity seriously to protect their customers, their employees and their shareholders. Many of the changes required are procedural, simple and some of them even free. There's no reason why a major site should lack SSL in 2016, or why simple webserver tweaks like hiding header info and securing cookies should be absent from them. Email phishing has been an effective attack for years now, and failure to utilize SPF, DKIM, DMARC and other verification mechanisms makes it even easier to socially engineer access. Aside from Apple, these companies should revisit their security and the policies and procedures that allowed it to remain in this state.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Article >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Article >