Asda slammed for letting vulns fester on its cyber shelves Supermarket chain Asda has come under fire for sitting on a potentially serious set of web vulnerabilities on its website for almost two years. As first reported by The Register on Monday, UK security consultant Paul Moore warned Asda about a shopping list of online vulnerabilities in March 2014. Asda upped the grade of its …
>>the company is not short of resources to deal with any problems >>discovered
This sort of simplistic thinking always winds me up. Nine hours of heart surgery doesn't become 30 minutes because you throw 18 surgeons at the problem. Cash, staff numbers and a capital equipment budget won't materially change the timeframe needed to fix a live site ... in fact "resources" can be a liability because PHBs don't get the first point. Adding people to a problem frequently just adds to the problem.
Preventing these problems arising is a different matter. A fully resourced security and QA section is invaluable. I'm only discussing dealing with issues after discovery (i.e. after QA and "DevOps" already failed).
I created an account with them a couple of weeks ago to do an online shop and noticed some issues with their sign up page.
They wouldn't accept my perfectly valid site specific email address of asda@catchall.XXXXX.com
The password was limited to 12 characters!
The had disabled copy/paste in the password fields so that my usual habit of using a password generator and then copy/pasting the password in was difficult.
I should have bailed but I was lazy and had just spent an hour putting stuff in a basket so signed up anyway.
I sent them an email highlighting my concerns with their signup page and got a voicemail (Indian accent) a few days later saying that they could see that I managed to create an account in the end so what was the issue?
They obviously don't give a flying fuck about security.
I won't be using them again and have since invalidated all the details I submitted in.
"The password was limited to 12 characters"
This makes me suspect a future headline will be about how poor Asda's website's password protection is. It wouldn't surprise me if they stored them in plaintext, and would surprise me if they are hashing them properly.
Quote: "The had disabled copy/paste in the password fields so that my usual habit of using a password generator and then copy/pasting the password in was difficult."
I also use a password manager, and that's also one of my pet peeves.
If you're using Chrome (other browsers are available), there is an extension called "Don't f##k with paste" which seems to fix most of these issues.
It's about time some form of mandatory security certification was implemented for all web sites hosting retailers, financial institutes, basically anyone that handles money or holds personal details.
Something simple to understand, along the lines of the food and hygiene certificates you get in places that sell food, with a simple 0-5 rating.
All the web sites would be required to show the rating in a consistent manner, in the same location on at least the home page, and the order processing pages.
Rather than hosting the certificate as an image, the actual web site code/html could be a simple bit of common code, used by all sites, using some unique company and/or site specific key, that generates the info-graphic dynamically (a vector format, rather than bitmap to keep the size down).
Clicking on the info-graphic on the page, would take you to a centrally hosted official (gov?) site, that holds all the records, and could give more details, such as the companies security history over the last 12 months or more.
Testing of sites should be a scripted/automatic [*] process that is updated regularly to keep pace, and performed say once per month, which automatically updates the rating if it changes, and notifies the site owners of these same changes, in case they need to do anything to fix issues etc.
You could implement a grace period, i.e. rating goes down by 1 point, so site has 1 week to fix the issues and re-evaluate before the info-graphic on the page is downgraded. If the rating goes down 2 points, they have 3 days to fix etc.
If they don't fix in time, their rating goes down, and won't go back up until the next monthly check, therefore basically shaming them for a month, and likely impacting their sales for that period.
Funding of the service should come from business taxes.
* You might not be able to automate everything, so a % of the rating might be based on other information, which might need to be captured via other means (ISO audit etc.).
Given that e-commerce is world-wide, there would or should be a requirement then for this being international in scope and implementation.
There are inherent problems with this, such as is the agency just a rubber-stamp? In some places, the agency personnel are open to bribes or just not giving a damn who they pass.
The other problem is does anyone besides us IT types really care? Most users seem to have the attitude that all this "security" and "privacy" doesn't affect them until they become a victim.
All you need to know about corporate security summed up in one sentence:
-The US-owned chain later said “there is no evidence of any customer information being compromised as a result of these issues”-
Let me break it down for the hard of learning.
If:
. A. It's not illegal to do it this way.
. B. It's not affecting the corporate image.
. C. It hasn't lost the corporation any money to date.
Then fuck it!
Congratulations! You have now passed Corporate Security 101.
Asda and Walmart take the security of our websites very seriously and we review our systems and software regularly
This tells me that at least one of the following must necessarily be true :-
I'm not sure which scares me more...
Vic.
I see this regularly, systems with vulnerabilities and OWASP to 10 being ignored. Why? Because security "consultants" and penetration testers talk techie. Very few talk business impact and tie a monetary value to what the costs will be when that vulnerability is exploited. Instead of shouting "grenade" and running away, we need to be saying "this is the issue", "this is the impact", this is what it will cost" and "this is how we can fix it and the cost to do so". I recently had this conversation with a senior management team. Within 15 minutes, they said, "it's a no brainer" and I'd secured the funding to address my findings. You have to do the leg work up front. It took nearly a month to get to that 15 minute conversation but that is what it takes to get it right and get it actioned.
Why don't people do this? Because getting the financial impact of a vulnerability can be very esoteric but with more real world examples happening in the press combined with an understanding of what that vulnerability if exploited will mean to your business is getting easier. You have to start with the value of the data to the business, look at the fines that could be levied and look at the impact on share price. That last ones an interesting one as a savvy investor would know that on announcement in the press, you could short that company, know the company will recover over time and go long on it. For every cloud :-)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
