MY TAKE: Massive data breaches persist as agile software development fosters full-stack hacks

By Byron V. Acohido

Data leaks and data theft are part and parcel of digital commerce, even more so in the era of agile software development.

Related: GraphQL APIs stir new exposures

Many of the high-profile breaches making headlines today are the by-product of hackers pounding away at Application Programming Interfaces (APIs) until they find a crease that gets them into the pathways of the data flowing between an individual user and myriad cloud-based resources.

It’s important to understand the nuances of these full-stack attacks if we’re ever to slow them down. I’ve had a few deep discussions about this with Doug Dooley, chief operating officer at Data Theorem, a Palo Alto, Calif.-based software security vendor specializing in API data protection. Here are a few key takeaways:

Targeting low-hanging fruit

Massive data base breaches today generally follow a distinctive pattern: hack into a client -facing application; manipulate an API; follow the data flow to gain access to an overly permissive database or S3 bucket (cloud storage). A classic example of this type of intrusion is the Capital One data breach.

Suspected Capital One hacker Paige Thompson was indicted for her alleged data breach and theft of more than 100 million people including 140,000 social security numbers and 80,000 linked bank accounts. The 33-year-old Amazon Web Services (AWS) software engineer was also accused of stealing cloud computer power on Capital One’s account to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking.”

Thompson began pounding away on the Capital One’s public-facing applications supposedly protected by their open-source Web Application Firewall (WAF), and succeeded in carrying out a  “Server Side Request Forgery” (SSRF) attack. By successfully hacking the client-facing application, she was then able to relay commands to a legacy AWS metadata service to obtain credentials.

Password and token harvesting is one of the most common techniques in hacking. Using valid credentials, Thompson was able to gain access using APIs and command line interfaces (CLIs) to a wide variety of low-hanging fruit stored in S3 buckets with valuable data. She then extracted the data to her local machine and openly bragged about her escapades in hacker forums, Twitter, and even posts in her Github repositories, which led to her arrest by the FBI.

Dinner bell rings

Whatever her motivation, when Thompson decided to exploit Capital One’s application and cloud security stack, she resorted to tried-and-true tactics used by ethical researchers, as well as by criminal hackers. The former group spends their time flushing out application security flaws so they can be fixed, the latter seeks out vulnerabilities – and exploits them – for malicious reasons. Both are simply taking the easiest path to harvest low-hanging fruit.

And in today’s environment of open, decentralized software development, there are countless paths to vast orchards of ripe fruit. This is because companies are pouring their all into rapid deployment of minimally viable software. They get the best and brightest developers to cobble together modular snippets of code, i.e. microservices, which then get stored in software containers residing in cloud storage. This collaboration gets done by far-flung team members working remotely.

The idea is to learn as quickly as possible if something works or fails. Next, the developers iterate and remediate on the fly, resulting in spectacular innovations – but also the need to continually update and issue patches. And all of this frenetic activity is made possible by a deepening reliance on APIs which serve as the conduits that enable two software applications to exchange information.

This is the essence of digital agility. A supremely agile and dominate media streaming company like Netflix makes hundreds of software changes each day in this fashion. Across all industries, any organization of any size that hopes to stay competitive must innovate and remediate much along the same lines.

However, whenever a company deploys a new app, issues a service pack update or requires installation of a security patch, this is like a dinner bell going off for both ethical researchers and criminal hackers alike, Dooley told me.


“When a company rolls out a new service or says, ‘Hey, my app has some issues that need to be remedied, please push these things into your code base,’ it’s a signal to hackers to go look at those features and those functionalities to see what’s in there that they might be able to compromise,” he says.

This makes perfect sense. The newer the code, the less likely it is to be security hardened, especially given the way agile software development is designed to continually iterate.

In a sense, software updates and security patches help hackers cut through the swelling complexities of a sprawling software system. A single API may enable connections to 1,000 or even 10,000 operations. So a software update or a security patch directs the hacker to the eight or 10 of the newest operations that are sure to be the least hardened, Dooley says.

A few steps behind

This logic plays out time and time again. When Microsoft rolled out a new Bing mobile app for Android and iOS, it attracted ethical researchers and threat actors to pound away. Not long afterwards, analysts from WizCase discovered that someone had succeeded in removing the password protecting the underlying Elasticsearch data base supporting the new Bing app.

This meant that the Bing servers running on Azure Cloud were left unprotected for several days with some 6.5 terabytes of search data accessible by anyone with modest computer skills. This exposed data included search terms, GPS coordinates, lists of URLs visited and unique device identifiers for users of the Bing mobile app.

Most recently, WizCase disclosed a massive data breach of the popular mobile game Battle for the Galaxy’s underlying database. In this case, a weakly protected Elasticsearch server owned by AMT Games exposed 1.47 terabytes of data, including gamers’ email addresses, IP addresses and Facebook data. Someone actually circulated a link making this unencrypted data accessible to anyone who possessed the link, with no need for a password or login credentials.

The abstract image of the hacker reach hand through a laptop screen for stealing the data as binary code. the concept of cyber attack, virus, malware, illegally and cyber security.

The work of ethical hacking groups, like WizCase, is commendable. However, let’s not overlook the fact that good guys often are a few steps behind the bad guys in responding to the dinner bell every time it goes off. In both the Bing mobile app and AMT games breaches, massive caches of sensitive personal data were very swiftly located and exposed by malicious hackers – exploits which were then discovered and disclosed by the WizCase white hats following a few steps behind.

What’s happening is that companies are pushing out new features and patching software without automating the security analysis and remediation before it goes into production. As part of the hot pursuit to monetize data, organizations are opening up paths to new orchards of highly profitable information stores intended for customers and business partners.

“They’re telling hackers, ‘Hey, I just showed you a bunch of new capabilities running on new databases and storage buckets on API-driven cloud services that are probably not fully locked down yet,” Dooley says. “And it would be a good guess that the authentication and authorization components are probably not fully vetted either.”

Clearly, the pursuit of digital agility is expanding the attack surface more profoundly than anyone imagined. More proactive management of this highly dynamic attack surface must come, and soon. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone