Ticketmaster breached – further insight

News broke yesterday that Ticketmaster had been hacked. The company has set up a dedicated page to deal with the news – https://security.ticketmaster.co.uk/.

http://brn.firetrench.com

Offering further insight into the breach are the following security professionals:

 

Martin Jartelius, CSO at Outpost24:

“In this case, an attacker has targeted one of their third-party services used on their websites, and thereby managed to target their customers and impact the service. Integrations and seamless inclusion of third party code into websites is an increasing trend, and this essentially means trusting other organizations to safeguard their systems and protect your users.

Organizations are using these codes for ad tracking, for tracking user experience and interactions and, as in this case, support services. By including code from other organizations servers (rather than hosting it yourself) you are exposed to vulnerabilities or risks that are out of your control. Trust is essential in a partnership, but control is even more important – ensure that when you secure your applications you demand the same from vendors you intend to integrate or work with.”

 

Ian Ashworth, security consultant at Synopsys:

“While I don’t have any specific information relating to this incident, it sounds like a typical data exfiltration technique to plant malware on a server that is acting as a genuine conduit between parties in an order management chain or payment process.  Most of these would employ encryption to protect data end-to-end. However there could be weaknesses where one encryption link is translated to another for onwards transmission.

The server in question would capture information that is being legitimately presented by a customer for their ticket purchase etc. and the malware then silently transmits this on to another “host” for subsequently committing fraud. 

Well maintained anti-virus and malware detection software running on these servers would hopefully detect the introduction of these type of malicious programs either from their code “signatures” or from their unusual/unexpected network connectivity.  There is an increasing trend, however, in the development of fileless malware which try and hide themselves in the memory of the servers (RAM) rather than leave any footprints on disk drives which are swept for suspicious software.  Malware can also be very cunning in shaping their own network data traffic to avoid intrusion detection systems.  Other mitigation techniques exist which fall under the category of best practices (e.g. implementing the principle of least privilege and utilising sandboxes)

From a customer perspective, they will be totally unaware of the fraud until they or their payment provider detects potential anomalies on their own hosts relating suspicious retailer activities and pinpointing the likely source of the data fraud.”

 

Laurie Mercer, Solution Engineer at HackerOne:

“Ticketmaster should be congratulated for this textbook breach notification. The communication is clear and transparent and informative. This breach highlights how important it is to ensure the same security standards are followed across the software supply chain. 

Security does not stop in your Software Development Lifecycle, it must extend through your software supply chain. To best protect customer data, organizations need to run thorough security vendor assessments and partner with brands that take security as seriously as they do.”