.jpg)
Technology Tap
Technology Tap
The 2016 Verizon Hack: Lessons in Cybersecurity and Data Protection
Ever wondered how one of the largest telecommunications companies fell victim to a major cyberattack? Join us as cybersecurity students Alexis Severo and Aaron Kispe unravel the infamous Verizon hack of 2016. We kick off our discussion with an insightful look into Verizon's sprawling history and multifaceted services, shedding light on why this tech giant became such a lucrative target for cybercriminals. Discover the gripping narrative of how attackers infiltrated Verizon's enterprise client portal, leading to the unauthorized sale of customer data on the dark web. We'll also cover the chilling aftermath, including a second security flaw that further compromised user accounts by altering email forwarding settings.
But the conversation doesn't stop at just recounting the breach. We dive deep into actionable strategies to bolster your data security practices and prevent such breaches in the future. From enhancing system monitoring with cutting-edge security information and event management systems to implementing role-based access control and vetting third-party vendors, Alexis and Aaron break down the essentials. Reflecting on lessons learned, we underscore the critical importance of security alert emails and balancing convenience with robust safeguard measures. Plus, stay tuned as we discuss the valuable insights from Verizon's annual data breach investigations report—a must-read for any organization looking to shore up its defenses. Don't miss this eye-opening episode packed with expert advice and real-world lessons in cybersecurity.
If you want to help me with my research please e-mail me.
Professorjrod@gmail.com
If you want to join my question/answer zoom class e-mail me at
Professorjrod@gmail.com
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Welcome to, and welcome to, technology Tap. I'm Professor J Rod In today's episode, another summer series. This time, they're going to talk about the Verizon hack. Let's get into it, all right. All right, welcome to Technology Tap. For those who don't know me, my name is Professor J-Rod and I'm professor of cybersecurity, and if you've been listening, you know that I've been doing, in collaboration and cooperation with some of my students, a summer series on hacking on companies that have been hacked. This episode is going to be about the Verizon hack. I think it happened in 2016. It's by Alexis and Aaron. Thank you so much for agreeing to participate in this assignment, and you know so far I've done. This will be number three. I think the students have done an excellent job and I'm very grateful for them wanting to volunteer and do this. So, all right, here's Alexis and Aaron.
Speaker 3:Good afternoon. I'm Aaron Kispe and I'm here with my co-host, Alexis Severo, and today's topic is what happened to Verizon in 2016? But before we get into any specific details, Alexis, can you tell us who or what Verizon is Certainly?
Speaker 1:Verizon was founded in 1983 as Bell Atlantic Corporation. Then in 1996, they merged with 9X under the name Bell Atlantic. Finally, in 2000, bell Atlantic merged with GTE to form a company known as Verizon. Verizon is one of the largest telecommunication companies in the world. It has operations in over 150 countries serving over 140 million customers worldwide. Verizon provides a wide range of services. It is organized into three divisions. The first division is the consumer group, which provides wireless network services to residential homes and businesses.
Speaker 1:Then there's the business group, which caters to enterprise clients with secure and reliable network connectivity, cybersecurity solutions, cloud computing and data center services. And let's not forget about the media division, which oversees digital advertising and provides online services through their platforms. That is.
Speaker 2:Verizon as we know it today. So what reasons would a?
Speaker 1:director have for attacking them in 2016?
Speaker 3:Good question. Well, during that time period, verizon Enterprise Solutions had a customer base of 1.5 million customers. Additionally, about 99% of Fortune 500 companies that year were using Verizon Enterprise Solutions in their daily IT environments. Not only is there a large pool of potential victims, but many of these are high-value targets. This made Verizon an enticing target for any financially motivated threat actor, who could then sell the stolen information or exploit basic contact details for phishing and future cyber attacks. Now, alexis, what specifically happened during this data breach?
Speaker 1:Well, in March of 2016, a database containing customer information from Verizon Enterprise Solutions was being advertised for sale on the Cybercrime Forum. The seller gave interested customers the option of buying the entirety of the compromised database for $100,000. The alternative option was to buy the information in chunks of 100,000 records for $10,000, a package forcing potential customers to gamble on the type of information they were buying.
Speaker 1:The poster was also offering to sell information about security vulnerabilities in Verizon's website. The reactors were able to do this by exploiting a security vulnerability in the enterprise client portal.
Speaker 2:Aaron, can you go into?
Speaker 1:further detail about the information we found regarding this data breach, although not many details about this attack was released.
Speaker 3:Verizon claimed that no customer proprietary network information was accessed or accessible. What was stolen, though, was basic contact info like names and email, but in that same response, verizon claimed to have resolved this issue, but just a couple weeks later, their PR team claimed that the database that was being sold online was just fictitious data. That was being sold online was just fictitious data. Naturally, we had to investigate to see if there was any truth behind the claims made by Verizon, or were they just downplaying the impact of this breach? And, most importantly, we wanted to know if the seller of the compromised database could provide more insight into the weaknesses of Verizon's web services.
Speaker 1:Giving credence to the claims made by the seller. On April 14, 2016, another security flaw in Verizon's website was discovered. It was discovered that anyone with a valid Verizonnet account would be able to change the forwarding settings of another person's account. Imagine having your password reset, emails being sent to another person and, worst of all, not knowing that they were being sent to them in the first place. Victims of this exploit would have no way of knowing that their email address was compromised because they would not be able to receive any suspicious emails in their inbox. Before we get into any specific information about this vulnerability, it is important that we give listeners a brief overview of what website API security is. It is important that we give listeners a brief overview of what website API security is Absolutely.
Speaker 3:Web API security is essential for protecting sensitive data and ensuring the integrity of online systems. At its core, web API security focuses on safeguarding the application programming interfaces that enable communication between the different software applications over the internet. Apis serve as the bridge between the front-end user interface and the back-end server, where the data is then stored and processed. When a user interacts with a web application, they're essentially sending requests to the API endpoints, which then processes these requests and returns the appropriate response. However, ensuring the security of these API endpoints is crucial, as they can be vulnerable to various threats if they're not properly protected.
Speaker 3:That's where measures like authentication, authorization and encryption come into play. Authentication, authorization and encryption come into play. The API gateway acts as the gatekeeper, verifying the identity of users and ensuring that they have the necessary permissions to access the requested data. By encrypting the data in transit and at rest, organizations can prevent unauthorized access and protect the sensitive information from prying eyes. So, in essence, web API security is all about fortifying the communication channels between the different software components, ensuring that the data remains secure and confidential throughout the exchange process. But now, alexis, what specific vulnerability was being used for this exploit?
Speaker 1:What was being exploited is known as an insecure direct object reference vulnerability, which means there was an issue with the API endpoint. As I stated earlier, a threat actor only needed a valid Verizonnet account to take advantage of this exploit. Then they must obtain the user ID of an email, which they can do by looking at the forwarding settings of an email account, more specifically, the proxy settings. The user ID is important because it is used to identify accounts in Verizon's internal systems.
Speaker 2:It also points to another internal ID known as the mail ID.
Speaker 1:The mail ID is what is used to identify a specific email address in Verizon's internal systems.
Speaker 1:This was only possible because Verizon exposed an API endpoint that gave people the means to look up a target's mail ID. A user would then send a POST request to the URL of the exposed API endpoint, which was dot Verizon dot com. Forward slash webmail forward slash driver. Question mark N-I-M-L-E-T equals mail ID lookup. A post request, put simply, is sending information from your computer to another computer. Once a person has this information, they could change the mail ID that their user ID points to. From there, they could change the mail ID that their user ID points to. From there, they could change the forwarding settings like normal but this time the settings are saved for another account.
Speaker 1:So we can see that these two vulnerabilities are not the same thing, but they are related to each other. A vulnerability in one can be used to affect the security of the other one. A vulnerable client portal can be used to make unauthorized API requests. An exposed API endpoint can be exploited by manipulating requests from the client portal. Luckily for users, this law was passed in May 12th of 2016.
Speaker 2:But this was a dangerous month for users of this email service, verizonnet is now a discontinued service but there is a lot we can learn from this security flaw.
Speaker 1:Aaron, can you give the listeners an idea of what companies can do to protect against data breaches in general?
Speaker 3:Let's start by addressing the need to enhance your system monitoring and auditing practices. Introducing a security information and event management system can significantly bolster your security efforts. This system collects and analyzes the security logs from across the network. Moving on, we'll discuss the implementation of role-based access control as a fundamental measure in fortifying your database security. Rbac works by restricting access to sensitive data based on the employee's role within the organization. By enforcing RBAC protocols, you can mitigate the risk of unauthorized access and data breaches, ensuring a more secure environment for your organization's data. Lastly, before dealing with a third-party vendor, it is good practice to conduct a thorough security assessment on the company before granting them access to your customer database, include specific data security requirements in these contracts and regularly monitor vendor activity. And don't forget to hold them accountable for meeting those security standards that were agreed upon. Now, with that being said, alexis, what are your thoughts on what happened to Verizon?
Speaker 1:Personally speaking, I have a greater appreciation for the security alert emails I receive.
Speaker 3:It's reassuring that should my email address be compromised, I can be informed of it immediately.
Speaker 1:Honestly, I think one of my problems is going to be reading that email on time, because I'm not good at looking at my email, but like it's good, like I said, this is reassuring that I also like to have like emails separated for different things. I have one for school, one for applying for jobs another one just for, like, personal browsing.
Speaker 1:Of course it's good to keep your things organized yeah, so like when I do get breached, I want to limit the scope of it, of course, but's good to keep your things organized. Yeah, so when I do get breached, I want to limit the scope of it, of course. But I recommend people find a balance between convenience and security, because I think this is good enough for me, but people might struggle just remembering one password, so I recommend just trying to use as many different passwords as they can.
Speaker 3:Or a password manager.
Speaker 1:I mean that too. That would work, but like, this works for me and people just go with what works for them.
Speaker 3:I mean, I guess that could be true, but you know, security over convenience at the end. I mean, if you want your things to be protected, yeah, but you don't want to get locked out of your account, that's true too. Well, I think about this whole situation that it's a bit ironic that Verizon Enterprise is typically the one telling the rest of the world how these sort of breaches take place, which is why I recommend reading the Verizon's annual data breach investigations report, because each year it is full of interesting case studies from actual breaches yeah, like the viral one, yes and most of these case studies include hard lessons which mostly age very well. Even a DBI report from four years ago has a great deal of relevance to today's security challenges. So there is always something to learn from from all these breaches, even if they were a couple of years ago, because technology keeps advancing, but the concepts stay the same, that's true, and with that we conclude today's segment.
Speaker 3:Thank you, dr Rodriguez, for having us on your podcast.
Speaker 1:Thank you for Dr Rodriguez for having us on your podcast.
Speaker 2:Yeah thank you for this growing experience. All right, that's going to put a bow on the show. Thank you so much for listening. Thank you for Alex and Aaron for that lesson on the Verizon hack. We all appreciate it and we hope you learned something.
Speaker 1:Until next time.
Speaker 2:If you want to reach me, you can email me at professorjrod at gmailcom. That's P-R-O-F-E-S-S-O-R-J-R-O-D at gmailcom. This has been a presentation of Little Chacha Productions. Art by Sarah Music by Joel Kim. Until next time.