Perhaps at a general level we used to trust organisations to keep a sharp eye on our data and do all they could to protect it. However, over the years, given the steady stream of hacks, perhaps we no longer do, in fact, we might be naïve to do so.

We recognise when some hacks are simply stunningly clever and outwit cyber defences by deploying sophisticated malware and attack methods that have been developed with painstaking precision.

However, we also mostly recognise when a hack is the result of a basic cyber security errors and well-worn attack methods such as deploying SQL injection technique, one of the most common web hacking methods.

Unfortunately many breaches fall in the latter category but in a move that excels in terms of self-inflicted errors, the US Postal Service (USPS) recently nearly took the crown.
  • A critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the USPS.com website was discovered by a researcher. 
  • The vulnerability is tied to an authentication weakness in an application programming interface (API) for a program designed to help business customers track mail in real-time. 
  • The researcher who discovered the flaw, said the API was programmed to accept any number of "wildcard" search parameters. 
  • In practise, an attacker could have scooped email addresses, usernames, user IDs, account numbers, street addresses, phone numbers, authorised users and mailing campaign data from as many as 60 million USPS customer accounts.

In short, what we have is another example of a large organisation that handles people’s sensitive data, not taking security seriously.

Somewhat alarmingly it took USPS over a week to respond to the security flaw after the researcher contacted them, and only then because a journalist called them about the potential avenue of attack.

USPS and other organisations by default should have an obligation to perform the strictest security tests for potential vulnerabilities, including APIs. This should also cover network connections, mobile apps, websites, and databases.

USPS said: "We currently have no information that this vulnerability was leveraged to exploit customer records.”

No doubt this statement masked an almighty behind-the-scenes panic.

And given that the flaw apparently existed for a year who knows whether the data has already been exploited?

German eIDs

Security researchers also discovered a flaw in the German electronic ID card system which enables hackers to spoof the identity of another German citizen and access web services. The flaw can also let someone change another’s date of birth.

A researcher was able to bypass defences on an authentication server and fool a web application into accepting the altered data.

The vulnerability is a design flaw in web applications running Autent SDK 3.8.1 and earlier versions that handle duplicate HTTP parameters.
  • Normally using this technology, when authentication is started, the web application sends a request to the eID client which then initiates all further steps needed for the authentication. 
  • It requests a PIN from the user; communicates with an authentication server, the web application and a RFID chip and finally sends a response to the web application, all of which appears to be a robust ID authentication process. 
  • However, the flaw allows an attacker to manipulate the response from the eID client without invalidating the signature. As a result an attacker can essentially alter data coming from the ID card and authenticate as any other citizen.
 
As with USPS the German eID is also a design flaw. It ideally it should have been picked up a via a design review. When critical software is developed it should be a matter of course that it is tested rigorously.

It’s clearly evident that many organisations are still not prioritising cyber security despite an avalanche of hacks and outcomes that can destroy reputations, and in the case of stock exchange listed companies send their share prices plunging.

At a wider level it’s one more compelling reason why good internet security is absolutely essential.