On February 28th 2016, “grey-hat security research group” TeaMp0isoN breached Time Warner Cable’s Business Class customer support portal with a SQL injection attack, defacing the site and snatching a database dump with more than 4,000 records including usernames, email addresses and (encrypted) passwords.
According to their website, Time Warner’s Business Class Managed Security Solutions will “help protect and connect your primary business location, teleworkers, and branch office locations.” This blurb also appears on that page:
"Data security is not just preferred, it's essential. If a company cannot transmit files in a secure manner -- whether the files contain a client's records or a business' internal operating documents then the files should not be shared over a public network unless appropriate measures are taken ensure their protection."
Ironically, a SQL injection attack is among the most common and preventable of breaches, the execution of which is only possible against poorly written SQL queries that lack the proper input validation to prevent malicious code. According to the OWASP SQL Injection Prevention Cheat Sheet, using parameterized queries or stored procedures instead of open-ended queries practically eliminates the risk of SQL injection. Both of these techniques require more effort up front than a standard SQL query, but, as this and many other data breaches prove, the cost of not doing so can be very high.
Scanning the compromised portal with our Digital Reputation tool reveals the following:
Although the external scan isn’t checking for SQL injection vulnerability, it does show that there are a few other simple security measures lacking on the site. For example, despite SSL being enabled, it does not use the industry standard SHA256 encryption. This and other factors cause the total score to drop, because every vulnerability, every missed best practice, reduces the overall resilience of the organization.
Because this was Time Warner’s business caliber portal, the information taken by TeaMp0isoN belongs to companies, not individuals, and is theoretically more sensitive and more valuable for that reason. It’s generally accepted that a “business class” service has more resiliency than a “consumer class” service, but in this case, a poorly written customer portal allowed an old and well-known exploit to access that data. In this particular case, TeaMp0isoN put the database dump on the internet for all to see, rather than holding the data hostage or selling it to a third party. No matter what the perpetrators of the breach decide to do with the data, it won’t bode well for the company-- or the customers.
Data breaches happen. But proper configuration and code practices can increase digital resiliency and prevent hackers from exploiting known weaknesses, meaning they will need to go above and beyond to breach the site, or simply move on to another target. Developers should be aware that any time an application queries a database with user supplied information, those queries absolutely must be sanitized to prevent a SQL-savvy misfit from running unauthorized commands. Furthermore, by following the well-known principle of least privilege, the database accounts running the queries should not have even had the access to retrieve the data requested by the injection.
Now Time Warner has to react, legally, technically and with public relations to handle the breach and lost data. In addition to fixing the offending code, which could have been done as part of a general resiliency check beforehand, they now have to deal with insurance, liability and communication with customers, peers and those whose data was taken, all of which come at a cost. A large company like Time Warner can weather the storm of this breach, but the question remains: will they put their finger in the hole in the dam that has already been exposed, or will they use this opportunity to reassess their digital resilience across the board and implement a new strategy that will proactively address the kind of lapses which lead to these breaches in the first place.