Yesterday Hitsniffer, a provider of analysis and details around website visitors and traffic, went offline. This is due to an internal data breach carried out by a senior and trusted member of staff. Hitsniffer has cancelled all payments from customers and is no longer functioning or responding to emails. This attack has again thrown the risk posed by insider attacks into the spotlight.
Visitors to the Hitsniffer website see the following statement:
“Hitsniffer was compromised by a programmer who had worked for the company since its inception. This programmer has stolen all databases. The customer database is now in his hands. You will probably have received an email from a company called Hitsteps, this company has no relationship with Hitsniffer, Hitsteps is now using our customer database to contact our customers.
“We have made allegations of theft and fraud regarding this matter and it is now being investigated by the Police We have cancelled all recurring Paypal payments to our company as we certainly do not wish to receive any payments from our clients when we cannot provide service. We cannot apologise enough for your loss of service. Please be aware that a company called Hitsteps have been emailing our customers using our customer database without our permission.”
A stolen database or a purchased data set
One of the problems with this situation is knowing at this stage what has really happened. Was the data stolen to order? Was it just an opportunistic theft? Is it part of an internal disagreement that has escalated out of control? The latter is interesting because the statement says this is someone who has been with Hitsniffer since its inception. Perhaps this is about a severance issue or a personal situation between founders.
It is entirely possible that Hitsteps simply purchased a set of names from a third-party broker. At Enterprise Times we average 12 such emails per week. Most of the lists are created by screen scraping forums and websites. It is also possible that Hitsteps knew what they were purchasing. However, there is no statement about this on the Hitsteps website and they are still up and trading.
The risk of privileged user access
Users with excessive privileges is a problem for all organisations. As people stay with a company they change roles, gain promotions and work on multiple projects. All of these give them access to sets of data. Once the need for access has passed it is rare for a user to have their access rights revoked. Most senior employees in a company end up with access to vast amounts of sensitive data they don’t need. All of this makes them an ideal target for hackers. Compromise their credentials and you can steal the corporate crown jewels.
According to Justine Cross, Regional Director at Watchful Software: “The Hitsniffer data breach demonstrates the fact that privileged users with seniority in the company pose the biggest threat of malicious insider activity, and are one of the most difficult to guard against. Setting the security restrictions on customer data including emails, office documents or in fact any file types to ‘internal use’ or confidential’ will also make it much more difficult to remove the files from the company network without alerting the IT or security team that a malicious internal threat is taking place.”
Alerts would not have worked here. The data was taken by someone with the right privileges. As a programmer they would have been able to explain the copying of data as necessary for testing new features. Additionally, in a small organisation everyone trusts senior members of staff.
Tools to manage privileged access are expensive. This means that smaller organisations are unlikely to deploy them. Employees in smaller businesses often have to cover for each other. This also creates problems with data access that larger companies can solve with processes and products.
The details of this attack are still emerging. There is already a dispute about the accuracy of the Hitsniffer claim. The insider, who has not been publicly named, is disputing they stole the data. Hitsteps, like Hitsniffer, are not responding to questions about the data. It will be interesting to see if this results in a prosecution and whether Hitsniffer can recover from this.