Last weekend Hackers are defaced the more than 20,000 of Bell Canada’s small-business customer usernames and passwords, that users and companies alike need to start taking data protection more seriously.BCE Inc.-owned Bell Canada confirmed Sunday that 22,421 usernames and passwords and five valid credit-card numbers were posted online after what it called an “illegal hacking” of an Ottawa-based third-party IT supplier.
The telecommunications company insists its own systems, “operate with the highest standards of data security with encryption and other data and system protections.”
BCE will not comment on the details of its continuing investigation into the incident, but a group that calls itself NullCrew claimed responsibility for the attack on Twitter and supplied purported screenshots of the attack mechanism
The hackers gained access to the user information through what is known as an SQL injection attack, which exploits weaknesses in a programming language designed to retrieve information from a database.
Chester Wisniewski, senior security adviser at Sophos Canada based in Vancouver, said the hackers who targeted millions of Sony Playstation users in several attacks in 2011 also used the SQL injection technique.
If hackers find an SQL vulnerability in a company’s website they can in theory use it to query the database – sometimes as if they had access similar to that of an administrator – and pull records out, a technique that allows for bulk extraction.
They look at the list and go, ‘Let’s look at all the sites we’ve found with a flaw. Ooh look at this one: Bell. That’s big’
Hackers often set up an automated script to scan numerous websites looking for SQL vulnerabilities, Mr. Wisniewski said, adding that they might not have initially targeted BCE.
Most Internet users now understand that good passwords should include a long string of random characters, numbers and upper- and lower-case letters, however even the strongest password will be of little use if hackers can access it in plain text.
The hackers also claim that they told BCE about the data breach more than two weeks before posting the information online.
One of the screencaps they supplied purported to show an online chat with a Bell Internet customer service representative, who does not appear to understand the significance of the hackers’ claims.
A spokesman for BCE said the company responded, “as soon as we became aware of the issue,” but did not specify when that was.
Mr. Wisniewski said “With all the hacking stories we’ve seen in the news – Target, Adobe – maybe it’s time that every company gets more paranoid about our information.”
No comments:
Post a Comment