Lessons to be learned from the Lush website hacking

News by Dan Raywood

The hacking of the Lush website has been described as an issue seen many times before of web developers not providing sufficient security for the sites that they build.

The hacking of the Lush website has been described as an issue seen many times before of web developers not providing sufficient security for the sites that they build.

Eddy Willems, security evangelist at G Data, claimed that the site's announcement that it had been accessed by a third party over an unspecified period of time, was another case of consumers falling victim to cyber crime and of insecure development of websites.

He said: “It can be put down to several very avoidable aspects, such as the web server password. In many cases, these passwords are something very simple such as ‘admin123', which can be cracked in a matter of seconds by an automated service. Web developers should also scan the site from an offline perspective, in case there is some very well hidden malware already infecting the site. “

He said that whilst the users were not at fault in regards to their security in this case, it still shows the need for complete PC protection from both parties.

“Having important financial information stolen is not only dangerous, but it is also a huge inconvenience, as cancelling credit cards is a task which no one likes to do. So as the shopping online phenomenon continues to grow, so will the chances of cyber theft. Consumers and retailers alike need to continually update their anti-virus software to minimise the chance of becoming an online victim,” he said.

Noa Bar-Yosef, senior security strategist at Imperva, said that the Lush online application is riddled with vulnerabilities, to the extent that the company had to take the website down. This, he said, showed it was not just one sole vulnerability that could have been quickly fixed, but lots of security issues which would require a security overhaul.

He was also critical of the time frame, as Lush showed that it knew the exact dates of the start and finish of the hack, so that it did have some sort of audit during the attack, yet there was probably no one responsible to constantly oversee the audits to alert in the case of abnormal behaviour.

He said: “In regards to the audit, Lush mentions that they are informing all 'potentially affected' customers. This means that they do not have exact affected customers details. A good audit trail should also provide concrete details regarding who was affected and when.

“The attack clearly shows that Lush was in breach of PCI DSS compliance. Look at the 'We Believe' statements. There's no talk about belief in making websites secure for customers. They are blaming the attackers and talking about cooperation with law enforcement. However, they should also add a 'We Believe' on making the website more secure for their customers.

Rik Ferguson, senior security advisor at Trend Micro, claimed that he was initially alerted to the attack by one of his own friends whose credit cards had been used to make fraudulent purchases totalling almost £6,000 from well-known online retailers.

He said that the risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality. “For the most part shopping online is as safe as shopping in store, but when a compromise occurs at an online merchant often its consequences are far greater, affecting many more people than in store card cloning due to the centralised nature of online stores,” he said.

Ferguson went on to claim that this should be a precedent for consumers demanding more services such as one-time credit card numbers from their financial institutions, to afford them more protection when shopping online.

LogRhythm argued that had true protective monitoring been in place, Lush would have been alerted to the attacks instantly. Ross Brewer, VP and MD of international markets at LogRhythm, said: “Yet another security breach underlines the need for effective monitoring, and yet again it is the consumer that pays the price with their data. Taking almost four months to detect a security breach is unacceptable and the monitoring system mentioned in Lush's statement is clearly not up to the job.

“Centralised logging and security event management platforms automatically monitor the millions of logs and audit trails generated daily by every IT related action, while also reporting and alerting on suspicious or unexpected activities that warrant special attention. Had such a system been in place there is no way this incident could have occurred.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews