- Nissan North America recently suffered a data leak when source code for its mobile apps and internal tools surfaced online after the company presumably misconfigured one of its Git servers.
- “Nissan is not the first vehicle manufacturer to have data stolen via misconfiguration in Gitlab. Mercedes suffered the same embarrassment when source-code breach for ‘smart car’ components leaked data in May 2020. It could immediately appear that these are not severe leaks; after all, it’s proprietary data that is only useful with the specific brand and partners,” says Laurence Pitt, global security strategy director at Juniper Networks in an emailed statement. “However, the data is valuable – buyers and downloaders of this data will use it to reverse-engineer code, look for weak-spots in web-portals and find ways to hack into consoles; either to gain competitive advantages or for darker, more damaging reasons.”
- In both cases, the data was left exposed on an unsecured internet-facing server – a simple Google dork search, which people may run continuously, will find them, explains Pitt. “We need to remember that Google indexes anything it can see and validate, and so unencrypted, non-passworded data is fair game,” he says. “Organisations need to take a proactive approach to their security to prevent this from happening. Start thinking the same way as the person looking to steal this information and remember that if you can see without logging in, then so can anyone.”
- Manufacturers need to consider the following as foundational security that should be checked and run continuously:
- Protect, and test protection, for private data areas using authentication, multi-factor-based systems, and IP restrictions.
- Encrypt data at rest, and data in motion.
- Why not run regular Google dork queries back against systems just in case something shows up?
- If something shows up, ask Google to remove it with their search console
- Make sure that sensitive data cannot be indexed using a robots.txt file (this will prevent Google, but not every search engine)
Week – Peter Fretty | January 6, 2021