TaskRabbit, a web-based service that connects freelance handymen with clients in various local US markets, has emailed customers admitting it suffered a security breach. The company has taken down its app and website while law enforcement and a private cyber-security firm are investigating the incident. IT security experts commented below.
Tim Helming, Director of Product Management at DomainTools:
“This is an indication of how comprehensively nefarious actors can interfere with business functions–and potentially harm users. To take control of a website and expose such trusted resources as TaskRabbit’s GitHub repository, as well as daily transaction volumes and information regarding employees, the threat actors must have had comprehensive access to the network. While we don’t yet know the specifics of how this attack unfolded, it is a good reminder of the importance of practices such as least-privilege access controls, robust network segmentation, and strong phishing controls. Organizations need to take cybersecurity seriously, particularly when it could affect the livelihood, reputation and privacy of both employees and service users.
Bob Egner, VP at Outpost24:
“This attack happened because the TaskRabbit data is an interesting and valuable asset. Attacks of this nature are attempted when there is a potential gain for the attacker in this case, to monitize any personal information that can be obtained. All web applications are vulnerable, it’s only a matter of how much effort the attacker is required to expend. It’s really an economic problem where the payback has to be larger than the expended effort.
Any public facing web application that holds large amounts of personal information should have a comprehensive application security testing program in place to assess the application, it’s data stores, the infrastructure on which it runs, and the users assigned to manage and operate the overall system. Any weaknesses should be remediated in a prioritized way so that the potential for attack is reduced to the lowest possible level and maintained there. The focus should be on the economic equation, where the effort required to compromise the system is much greater than the value of any stolen information.”
Paul Edon, Director at Tripwire:
The TaskRabbit hack is an unfortunate reminder of why phishing is a popular attack method as it targets human naivety. Individuals must show extreme caution to all links and attachments sent to them and have the mindset that if it looks too good to be true, then avoid it at all costs. Organisations also have a role to play in reducing the threat posed by such attacks. Take a proactive step by implementing security services that offer anti-phishing services as well as introduce training for employees to understand the consequences of clicking unknown emails. Hackers are constantly developing new tricks to dupe unsuspecting users, so organisations must adopt a pro-active stance to help reduce the threat.
Rob Tate, Security Researcher at WhiteHat Security:
“TaskRabbit is a great example of how small businesses can thrive thanks to the popularity and widespread use of apps in today’s modern world, and consumers can find services in just a few clicks. To stay ahead of the game in terms of usability and enhanced features, apps are continuously being updated. Although this is beneficial to both businesses and consumers, security must not be an afterthought and needs to be an integral part of the build process.
At WhiteHat, we are seeing practices such as DevSecOps become increasingly popular as organizations and businesses of all sizes look to focus efforts on securing their applications, but a lot more still needs to be done to achieve the security required. Because a security breach could reflect poorly on the acquiring company, there are key areas that could make your organization vulnerable to a breach, and they are often overlooked.
For example, it’s critical that the company being acquired take the proper measures to build security into their development practice, and that due diligence on the security of acquisitions of big software programs or cloud services be done. The same holds true for open source software or libraries that are being brought into your company’s development organization.
Companies should always first assume the service/application is not secure, and then apply security best practices to make sure it becomes secure as they use it to build apps or services.
Security is also important for consumers. There are some simple steps they can take to help secure themselves online:
- Don’t use the same password for all sites and apps. If one site or app is breached, all of your accounts are effectively breached. At the very least, use a variety of passwords to minimize the impact.
- Turn on two-factor authentication for any app that supports it. It can be a pain, yes, but it’s also one of the best ways to protect your accounts,”