Theft Protection Service Puts Users

Theft Protection Service Puts Users' Identities in Jeopardy

A service known to protect the identities of users is now realizing it might have made its users vulnerable to attack.

LifeLock's identity theft protection service suffered from a security flaw that made users' identities vulnerable to potential attackers. The even forced its parent company, Symantec, to pull part of its website down to fix the issue after it was notified by KrebsOnSecurity.

“It is a bit ironic that LifeLock is a security company focused on helping 4.5 million consumers protect their online identities," Pravin Kothari, CEO of CipherCloud said. "They need to be on top of cyber defense best practices. This poor set-up seems to have allowed anyone to harvest all of the LifeLock subscriber emails, potentially for a phishing campaign or worse."

According to Krebs, Atlanta-based security researcher Nathan Reese discovered the vulnerability when he received a newsletter from the service. Upon clicking "unsubscribe," a page that clearly showed his subscriber key popped up. That allowed Reese to write a script that sequences numbers, which was able to pull keys and their corresponding email addresses from the service.

“This is a poor programming practice, not a misconfiguration," Mounir Hahad, head of threat research at Juniper Networks said. "On a positive note, it’s good that only email addresses were leaked. These are still valuable, but not as valuable as if names were associated with them. Single email addresses with names, or even a few hundred, might not have much street value on the dark web, but a list of several million could fetch a few thousand dollars."

Hahad explains that the trouble begins when email address and subscriber IDs are cross referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013.

"From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers," Hahad said.

How could this have been avioided? Kothari says LifeLock should do what the financial industry does.

"They regularly hire white hat hackers to penetration test their network and external defenses," Kothari said. "This is exactly the sort of incorrect set-up and misconfiguration a reputable penetration tester would have likely discovered. It would have been quietly fixed by now - no harm, no foul. All of this hoopla over the huge potential exposure of LifeLock customer data was totally avoidable.”

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3