Third-party components are also a responsibility

Mar 1, 2015 17:31 GMT  ·  By

There are very few companies today that can control all aspects of their business, since in many cases certain operations or services rely on solutions created and/or managed by a different entity.

In most cases, the choice to use products from a different entity stems from financial or technical reasons. However, apart from benefits, this also comes with a security risk that may have a significant impact on the business, unless proper measures are taken to reduce it or even eliminate it.

Recent examples include big names, such as UK’s communication provider TalkTalk and Chinese manufacturer Lenovo, and smaller businesses that rely in their activity on third-party web components.

Phone scams rely on data stolen through third parties

Hackers know that attacking the target directly could be too difficult a task and instead they try to compromise the services it uses, which oftentimes are not protected by top notch security measures and offer a way into the network of the victim.

This scenario was seen recently in the case of the TalkTalk incident, when information belonging to its customers and stored on its network was accessed by unknown individuals; the hackers compromised the computer systems of a third party that was authorized to connect to TalkTalk’s infrastructure.

The crooks gained access to account numbers, names and addresses, which were used to gain the trust of TalkTalk customers and to trick them into providing banking information, downloading malware onto their computers, or to fool them into purchasing useless software promoted as antivirus solutions.

Some clients fell for the deceit and lost thousands of pounds in the process. Although TalkTalk tried its best to minimize the damage after the spill occurred, it is unclear if it could have done more to prevent the incident.

Third-party component puts Lenovo customers at risk

Another instance of a third party having a negative impact on a big business is Superfish browser add-on, which came pre-installed on some Lenovo notebooks for consumers and hijacked secure connections, including that from banks, in order to inject ads in web pages.

Lenovo became the target of very vocal critique when security researchers discovered that the private key protecting the root certificates added by Superfish to the system was the same on every machine, and it was very easy to crack.

The transparent proxy used by the add-on to do its ad injection is not developed by Superfish, but licensed from a different company, called Komodia.

Unlike in the case of TalkTalk, Lenovo could have avoided all the trouble that ensued as a result of this blunder if all aspects regarding how the third-party component did its job had been thoroughly checked.

The company, however, was quick to repair the damage and took urgent measures as soon as it learned the full extent of the problem. Initially, users received instructions on how to manually remove Superfish and its root certificate and later Lenovo rolled out a tool that did the job automatically.

CMS plug-ins are very common, pose a greater risk

There are plenty of smaller businesses that rely on various plug-ins to extend the functionality of their website. They are highly convenient, especially since most of them are free of charge.

What the administrator has to keep in mind, though, is that they are also far from perfect and that vulnerabilities are constantly discovered in plug-ins for the more popular content management systems.

As such, keeping an eye on new releases popping up and applying the updates should be part of the frequent maintenance routine. Failing to do so could result in financial penalties from regulatory bodies, although this should be the least of the worries.

This week, security researchers from Akamai and PhishLabs announced the discovery of a large botnet of Joomla servers that was used for DDoS (distributed denial-of-service) purposes.

Closer analysis showed that the cybercriminals leveraged a known vulnerability in the Google Maps plug-in to conduct the assaults on the targets.

In a different story this week, Sucuri discovered that the WP-Slimstat plug-in for WordPress did not pose any challenge in finding the key used for signing the data exchanged between the client and the server.

The danger consisted in the fact that an attacker could run a Blind SQL Injection attack and access sensitive information from the website’s database.

Examples with WordPress plug-ins posing a security risk are not uncommon and the cybercriminal standards for exploiting the flaws are generally limited to the number of victims they can make.

Third-party components are not just a solution to make things easier for the business owner, they are also a responsibility and should be treated as such.

Any problem with them can cause a reaction with users/customers at one end and the maintainer of the solution at the other; but everything in between is also gravely affected.