By Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure
It’s in the nature of cybersecurity that every technology vendor and service provider is vulnerable to security breaches and attacks in some form. But whether it’s Microsoft, Google, Amazon or Facebook, how organizations react to a problem can be just as important as the steps they take to prevent them.
In the past decade, we have all seen dozens of tech giants fall victim to devastating data breaches and crippling vulnerabilities with cyberattacks becoming the fastest-growing crime in the U.S. In WhiteHat’s 2018 Application Security Statistics Report, it was discovered:
This data underlines how every organization can be affected by an outside adversary or data leak even with security barriers in place.
In this article, we’ll take a closer look at how research partners Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability, and then notify and work with the vendor to quickly and effectively remediate the issue and protect customers.
In the fall of 2018, during a search on Shodan.io, software designed to monitor network security, a Vertical Structure employee discovered a pattern of unmarked files that looked out of place. After some investigating, the researcher found external hard drives that would leak information through specially crafted requests via an API but not through their web interface. Initial estimates showed that many terabytes of data were exposed
While Google had already indexed a number of these devices, Vertical Structure decided to investigate a bit further to find out what kind of information was being compromised.
Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106. Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.
After discovering the compromised Lenovo device, Vertical Structure contacted WhiteHat Security because of its world-renowned reputation in helping secure applications, to work together to verify the vulnerability found.
Verifying vulnerabilities is a very important step in securing applications, networks and devices. After all, on an average day, WhiteHat scanners discover hundreds upon hundreds of new potential vulnerabilities. In order to protect organizations from a constant barrage of false positives, each and every one of the potential vulnerabilities is carefully assessed and verified by WhiteHat’s team of application security engineers at its Threat Research Center (TRC).
Once Vertical Structure contacted WhiteHat, the company did an initial investigation to verify the information found was indeed an issue. After using the combination of WhiteHat’s machine learning-powered scanners and TRC, WhiteHat was able to confirm with Vertical Structure that the vulnerability was valid.
The next step in Vertical Structure and WhiteHat’s process was alerting Lenovo of the problem.
Once Lenovo confirmed there was an issue, the company quickly took action:
1. In discovering this vulnerability, Lenovo pulled three versions of its software out of retirement
and brought them back so their customers could continue to utilize their technologies while they
patched the vulnerability
2. Lenovo then pulled old software from version control to investigate any other potential
vulnerabilities to fix and release updates
Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.
In sharing this story, both WhiteHat and Vertical Structure hope companies are inspired to always keep cybersecurity top of mind to keep up with the constant barrage of new vulnerabilities and exposures.
Further details about the vulnerability and Lenovo's resolution are available at Lenovo's Website