Theft Protection Service Puts Users

Theft Protection Service Puts Users' Identities in Jeopardy

A service known to protect the identities of users is now realizing it might have made its users vulnerable to attack.

LifeLock's identity theft protection service suffered from a security flaw that made users' identities vulnerable to potential attackers. The even forced its parent company, Symantec, to pull part of its website down to fix the issue after it was notified by KrebsOnSecurity.

“It is a bit ironic that LifeLock is a security company focused on helping 4.5 million consumers protect their online identities," Pravin Kothari, CEO of CipherCloud said. "They need to be on top of cyber defense best practices. This poor set-up seems to have allowed anyone to harvest all of the LifeLock subscriber emails, potentially for a phishing campaign or worse."

According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability when he received a newsletter from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.

“This is a poor programming practice, not a misconfiguration," Mounir Hahad, head of threat research at Juniper Networks said. "On a positive note, it’s good that only email addresses were leaked. These are still valuable, but not as valuable as if names were associated with them. Single email addresses with names, or even a few hundred, might not have much street value on the dark web, but a list of several million could fetch a few thousand dollars."

Hahad explains that the trouble begins when email address and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013.

"From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers," Hahad said.

How could this have been avioided? Kothari says LifeLock should do what the financial industry does.

"They regularly hire white hat hackers to penetration test their network and external defenses," Kothari said. "This is exactly the sort of incorrect set-up and misconfiguration a reputable penetration tester would have likely discovered. It would have been quietly fixed by now - no harm, no foul. All of this hoopla over the huge potential exposure of LifeLock customer data was totally avoidable.”

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

  • Freedom of Choice

    In today's security landscape, we are witnessing a fundamental transformation in how organizations manage digital evidence. Law enforcement agencies, campus security teams, and large facility operators face increasingly complex challenges with expanding video data, tightening budget constraints and inflexible systems that limit innovation. Read Now

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • Midtown Manhattan Shooting Kills 4, Including NYPD Officer

    Four people were killed, including a NYPD officer, in a midtown Manhattan shooting on Monday. That’s according to CNN. Read Now

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.