A Case Study In The Importance Of Strong Password Enforcement

Two months before it was breached, a popular Taiwanese computer company ignored warnings from security researchers about employees with leaky password use habits. Asus chose to ignore the alarm bells and continued with business as usual. Two months later, the result of Asus’ network weakness and their desire not to address it resulted in a massive, socially engineered phishing attack–all started by poor password hygiene.

Specifically, Asus maintained a GitHub site providing a place for programmers to deposit and get code. Several of the Asus GitHub users left email account passwords and usernames on the site, publicly exposing the data to anyone who looked. One engineer who had access to the company's nightly builds, patches, and development tools, left a password unprotected for over a year.

Asus publicly acknowledged the breach and announced a security patch for the problem. The patch was easily found on the company’s own LiveUpdate tool. Little did Asus know, their LiveUpdate tool had been compromised by hackers waiting to pounce with malware. But that is only one of the problems.

The patch held a malware-laced security update that looked like the real deal. There were no red flags, and no one expected a thing. Hackers dedicated to digging deeper into the Asus system injected malware called Shadow Hammer into the security patch. The Shadow Hammer malware is believed to be an APT (Advanced Persistent Threat), often used by one nation to attack another. These hacks typically target organizations and not everyday users. The malware was designed to target approximately 600 specific user's devices. When it found them, it deployed.

The ongoing problem of corporations not responding to security weaknesses–especially after they’ve been warned about them—is a risk to users and customers everywhere. Combine a lack of cyber-resilient systems with employees having no cybersecurity training, and you have a recipe for disaster like Asus. They’re far from the only corporate culprits–similar password problems ended with Uber having data stolen from 57 million of its users.

Common sense dictates the corporate world should be more aware and heed warnings about security weaknesses–and pronto. There’s a vital need to provide security patches and system updates as soon as available and in a malware-free, safe setting. Keeping systems updates is not an option. Zero-day exploits are the real deal and leaving systems vulnerable, when patches are available is indeed taking a risk that doesn’t need to be taken.

Of course threats will never be completely eliminated. However, threats with network security can and should be countered with well-trained staff. Ongoing and continuous employee cybersecurity education is vital to secure internet navigation and it provides a desperately needed one-two punch for hackers. Do some research, ask colleagues in your industry and find what works best.

Stickley on Security
Published April 11, 2019