Recently, the British Airways’ data breach by the hacker group, “Magecart,” raised eyebrows about the use of third-party source code. Magecart used malicious code to capture data entered by users of British Airways’ payment portal and sent the data to their systems. Similarly to credit card skimming devices, the Magecart captures sensitive payment details.
What makes this breach interesting is that British Airways, as well as other organizations of the same size and scope, have spent millions of dollars in security resources to protect themselves from such intrusions. However, a breach in security as the one experienced by British Airways comes down to the culture of IT in utilizing open source technologies.
In today’s technology trends, no trend is greater than the use of open source software. Open-source is software where contributors to the code can make changes and modifications to the program. Then submit their work to the source-code owner for inserting into the core of an application. Many products used today have a significant amount of code that comes from these open source projects and thus find their way into applications in private, public, small and large enterprises. If you build technology products in your business or service, chances are you have some open-source programs living on those products. That isn’t necessarily a bad thing as open-source projects provide an ability to expand the capabilities of software beyond the knowledge base of its programmers. You’re essentially leveraging the knowledge and experience of a community of programmers rather than the limitations of a few.
However beneficial, you do run into the risk of ingesting code into your software without a thorough review. Which in turn opens the possibility of malicious code living within your applications and internal network.
How its Done
The hack used cross-site scripting to gain access to British Airways and previously Ticketmaster . It’s a method where a code injected through a browser performs actions on user events to push data into locations not owned by the application host. Sounds confusing, right? Let me explain.
The data is encrypted when you enter your credit card information on a website. Next, to charge your credit card, that encrypted information is sent to the credit card processor . Your credit card processor unpacks (decrypts) the data and uses it to process your credit card transaction. If the software can see the raw data before encryption, then your personal information and financial information would be visible to the software and its owner. A malicious script captures, then sends the data to a server in a raw form where it processes and stores for the hackers to see. These scripts ingest technologies such as JavaScript. Which is one of the most popular open-source languages used today, and it is used on over 90% of the internet sites today.
Ways to Protect Yourself
There are ways, however, to prevent cross-site scripting. The OWASP is an organization that publishes a top 10 standards for open application security. As well as, provides guidance and prevention techniques for IT practitioners. By following the OWASP standards, you can mitigate the risks of cross-site scripting vulnerabilities. They have countless examples and steps for prevention listed in the standards.
The issue with following OWASP standards in the case of British Airways is that hackers inserted third party code. That are then, without a thorough inspection, used in their application. The developers installed the third-party code into their servers, bypassing security protocols. Once inserted into the core of the application, the script runs behind the scenes. That is, without the users or the product owner knowing.
These actions are more common than you may think, and it is why you should following standards like OWASP exist. As well as, the recommendations from INFOSEC publications. These publications not only identify but explain the types of ways to secure your software from intrusions. Additionally, you should adopt stringent processes and procedures to verify open-source code is safe. Before including in your applications, and subsequently, protect your customers’ data.
Need help with cybersecurity solutions for your business? Contact us today for a free consultation.