¶ Verizon Data Breach Analysis
Welcome to , and welcome to , technology Tap . I'm Professor J Rod In today's episode , another summer series . This time , they're going to talk about the Verizon hack . Let's get into it , all right . All right , welcome to Technology Tap .
For those who don't know me , my name is Professor J-Rod and I'm professor of cybersecurity , and if you've been listening , you know that I've been doing , in collaboration and cooperation with some of my students , a summer series on hacking on companies that have been hacked . This episode is going to be about the Verizon hack . I think it happened in 2016 .
It's by Alexis and Aaron . Thank you so much for agreeing to participate in this assignment , and you know so far I've done . This will be number three . I think the students have done an excellent job and I'm very grateful for them wanting to volunteer and do this . So , all right , here's Alexis and Aaron .
Good afternoon . I'm Aaron Kispe and I'm here with my co-host , Alexis Severo , and today's topic is what happened to Verizon in 2016 ? But before we get into any specific details , Alexis , can you tell us who or what Verizon is Certainly ?
Verizon was founded in 1983 as Bell Atlantic Corporation . Then in 1996 , they merged with 9X under the name Bell Atlantic . Finally , in 2000 , bell Atlantic merged with GTE to form a company known as Verizon . Verizon is one of the largest telecommunication companies in the world . It has operations in over 150 countries serving over 140 million customers worldwide .
Verizon provides a wide range of services . It is organized into three divisions . The first division is the consumer group , which provides wireless network services to residential homes and businesses . Then there's the business group , which caters to enterprise clients with secure and reliable network connectivity , cybersecurity solutions , cloud computing and data center services .
And let's not forget about the media division , which oversees digital advertising and provides online services through their platforms . That is .
Verizon as we know it today . So what reasons would a ?
director have for attacking them in 2016 ?
Good question . Well , during that time period , verizon Enterprise Solutions had a customer base of 1.5 million customers . Additionally , about 99% of Fortune 500 companies that year were using Verizon Enterprise Solutions in their daily IT environments . Not only is there a large pool of potential victims , but many of these are high-value targets .
This made Verizon an enticing target for any financially motivated threat actor , who could then sell the stolen information or exploit basic contact details for phishing and future cyber attacks . Now , alexis , what specifically happened during this data breach ?
Well , in March of 2016 , a database containing customer information from Verizon Enterprise Solutions was being advertised for sale on the Cybercrime Forum . The seller gave interested customers the option of buying the entirety of the compromised database for $100,000 .
The alternative option was to buy the information in chunks of 100,000 records for $10,000 , a package forcing potential customers to gamble on the type of information they were buying . The poster was also offering to sell information about security vulnerabilities in Verizon's website .
The reactors were able to do this by exploiting a security vulnerability in the enterprise client portal .
Aaron , can you go into ?
further detail about the information we found regarding this data breach , although not many details about this attack was released .
Verizon claimed that no customer proprietary network information was accessed or accessible . What was stolen , though , was basic contact info like names and email , but in that same response , verizon claimed to have resolved this issue , but just a couple weeks later , their PR team claimed that the database that was being sold online was just fictitious data .
That was being sold online was just fictitious data . Naturally , we had to investigate to see if there was any truth behind the claims made by Verizon , or were they just downplaying the impact of this breach ? And , most importantly , we wanted to know if the seller of the compromised database could provide more insight into the weaknesses of Verizon's web services .
Giving credence to the claims made by the seller . On April 14 , 2016 , another security flaw in Verizon's website was discovered . It was discovered that anyone with a valid Verizonnet account would be able to change the forwarding settings of another person's account .
Imagine having your password reset , emails being sent to another person and , worst of all , not knowing that they were being sent to them in the first place . Victims of this exploit would have no way of knowing that their email address was compromised because they would not be able to receive any suspicious emails in their inbox .
Before we get into any specific information about this vulnerability , it is important that we give listeners a brief overview of what website API security is . It is important that we give listeners a brief overview of what website API security is Absolutely .
Web API security is essential for protecting sensitive data and ensuring the integrity of online systems . At its core , web API security focuses on safeguarding the application programming interfaces that enable communication between the different software applications over the internet .
Apis serve as the bridge between the front-end user interface and the back-end server , where the data is then stored and processed . When a user interacts with a web application , they're essentially sending requests to the API endpoints , which then processes these requests and returns the appropriate response .
However , ensuring the security of these API endpoints is crucial , as they can be vulnerable to various threats if they're not properly protected . That's where measures like authentication , authorization and encryption come into play . Authentication , authorization and encryption come into play .
The API gateway acts as the gatekeeper , verifying the identity of users and ensuring that they have the necessary permissions to access the requested data . By encrypting the data in transit and at rest , organizations can prevent unauthorized access and protect the sensitive information from prying eyes .
So , in essence , web API security is all about fortifying the communication channels between the different software components , ensuring that the data remains secure and confidential throughout the exchange process . But now , alexis , what specific vulnerability was being used for this exploit ?
What was being exploited is known as an insecure direct object reference vulnerability , which means there was an issue with the API endpoint . As I stated earlier , a threat actor only needed a valid Verizonnet account to take advantage of this exploit .
Then they must obtain the user ID of an email , which they can do by looking at the forwarding settings of an email account , more specifically , the proxy settings . The user ID is important because it is used to identify accounts in Verizon's internal systems .
It also points to another internal ID known as the mail ID .
The mail ID is what is used to identify a specific email address in Verizon's internal systems . This was only possible because Verizon exposed an API endpoint that gave people the means to look up a target's mail ID . A user would then send a POST request to the URL of the exposed API endpoint , which was dot Verizon dot com .
Forward slash webmail forward slash driver . Question mark N-I-M-L-E-T equals mail ID lookup . A post request , put simply , is sending information from your computer to another computer . Once a person has this information , they could change the mail ID that their user ID points to . From there , they could change the mail ID that their user ID points to .
From there , they could change the forwarding settings like normal but this time the settings are saved for another account . So we can see that these two vulnerabilities are not the same thing , but they are related to each other . A vulnerability in one can be used to affect the security of the other one .
A vulnerable client portal can be used to make unauthorized API requests . An exposed API endpoint can be exploited by manipulating requests from the client portal . Luckily for users , this law was passed in May 12th of 2016 .
But this was a dangerous month for users of this email service , verizonnet is now a discontinued service but there is a lot we can learn from this security flaw .
¶ Enhancing Data Security Practices
Aaron , can you give the listeners an idea of what companies can do to protect against data breaches in general ?
Let's start by addressing the need to enhance your system monitoring and auditing practices . Introducing a security information and event management system can significantly bolster your security efforts . This system collects and analyzes the security logs from across the network .
Moving on , we'll discuss the implementation of role-based access control as a fundamental measure in fortifying your database security . Rbac works by restricting access to sensitive data based on the employee's role within the organization .
By enforcing RBAC protocols , you can mitigate the risk of unauthorized access and data breaches , ensuring a more secure environment for your organization's data .
Lastly , before dealing with a third-party vendor , it is good practice to conduct a thorough security assessment on the company before granting them access to your customer database , include specific data security requirements in these contracts and regularly monitor vendor activity .
And don't forget to hold them accountable for meeting those security standards that were agreed upon . Now , with that being said , alexis , what are your thoughts on what happened to Verizon ?
Personally speaking , I have a greater appreciation for the security alert emails I receive .
It's reassuring that should my email address be compromised , I can be informed of it immediately .
Honestly , I think one of my problems is going to be reading that email on time , because I'm not good at looking at my email , but like it's good , like I said , this is reassuring that I also like to have like emails separated for different things . I have one for school , one for applying for jobs another one just for , like , personal browsing .
Of course it's good to keep your things organized yeah , so like when I do get breached , I want to limit the scope of it , of course , but's good to keep your things organized . Yeah , so when I do get breached , I want to limit the scope of it , of course .
But I recommend people find a balance between convenience and security , because I think this is good enough for me , but people might struggle just remembering one password , so I recommend just trying to use as many different passwords as they can .
Or a password manager .
I mean that too . That would work , but like , this works for me and people just go with what works for them .
I mean , I guess that could be true , but you know , security over convenience at the end . I mean , if you want your things to be protected , yeah , but you don't want to get locked out of your account , that's true too .
Well , I think about this whole situation that it's a bit ironic that Verizon Enterprise is typically the one telling the rest of the world how these sort of breaches take place , which is why I recommend reading the Verizon's annual data breach investigations report , because each year it is full of interesting case studies from actual breaches yeah , like the viral one ,
yes and most of these case studies include hard lessons which mostly age very well . Even a DBI report from four years ago has a great deal of relevance to today's security challenges .
So there is always something to learn from from all these breaches , even if they were a couple of years ago , because technology keeps advancing , but the concepts stay the same , that's true , and with that we conclude today's segment . Thank you , dr Rodriguez , for having us on your podcast .
Thank you for Dr Rodriguez for having us on your podcast .
Yeah thank you for this growing experience . All right , that's going to put a bow on the show . Thank you so much for listening . Thank you for Alex and Aaron for that lesson on the Verizon hack . We all appreciate it and we hope you learned something .
Until next time .
If you want to reach me , you can email me at professorjrod at gmailcom . That's P-R-O-F-E-S-S-O-R-J-R-O-D at gmailcom . This has been a presentation of Little Chacha Productions . Art by Sarah Music by Joel Kim . Until next time .