I’m sure if you have been watching the news recently, you will have seen the breaking story of Optus and the Cyber Attack that is threatening to leak millions of Australians’ sensitive information to the wider world. But one of the biggest cyber attacks in Australia's history, may not be a cyber attack at all, but a massive failure of data handling and lack of security measures.
The analogy of the house is being thrown around a lot, but from a visualisation perspective, it is helpful when describing what has happened in the case of Optus. A cyber attack can be likened to a window being broken and someone forcefully gaining access. In Optus’s case, there is no broken window, instead, a window left wide open where someone could freely climb inside.
Unfortunately, what this means for the Australian public is that ten million people will ultimately be affected by minor data leaking and two million people will be heavily affected and at risk. The nature of Optus’s services requires its customers to give 100 points of ID in order to access their subscriptions. This does mean that Australians’ Medicare numbers, Drivers License numbers, Birth Certificates, etc are now at risk of being used for identity theft.
The Home Affairs Minister, Claire O’Neil, has described the data breach as ‘unsophisticated,’ and we would like to explain a bit more on why. In this blog, we don’t want to focus too much on Optus as not all the details are clear. But we do want to shed some light on how Australian developers can avoid this in future.
In simple terms APIs and endpoints are how the frontend (what the user sees) of a product interacts with the backend (where the users data is stored and handled) of a product.
A good example of backend APIs and endpoints is your personal Netflix account. When you sign in to your Netflix account, your phone or internet browser communicates to Netflix’s system through their API’s. These API’s know who you are, and serve you data that is relevant to your account.
The problem emerges when you can use the same API to receive data about another user.
In Optus’s case, this analogy highlights where things have potentially gone wrong. From a developer's point of view, the APIs and endpoints are being used as expected. Information is asked for, and information is passed correctly. The system is doing its job.
Unfortunately, the access point for this data breach was an open API that was accessed at the URL api.www.optus.com.au
All APIs and endpoints need to have authentication to prevent anyone from accidentally stumbling across things they shouldn’t. The only thing that should be interacting with the backend of a product is the front end.
Authentication on APIs and endpoints is a basic practice that is taught in University and should be implemented from the outset.
When it comes to users of apps, every user has their own unique ID. The Optus hacker has leaked that the IDs used by Optus are sequential integer IDs. For example:
{ id: 6, name: “Stephanie Works” }
{ id: 7, name: “James Bond” }
This makes users extremely easy to pin point as the IDs climb in an ascending fashion, meaning the people responsible for the data hack could easily write a script to extract all of this data. If you saw that your unique user ID was 405, it's reasonable to assume that there would be users with the ID's 404 and 406.
An example of a UUID would be f0056e4f-1419-4532-badf-ff40ec5ba4b3
While there are some legitimate reasons to not use UUIDs, they can be a good choice if your data is being seen by your users.
The world is becoming more reliant and hungry for technology. This means we as a society are going to be exposed to more and more data breaches and cyber attacks. As a developer, it is important we take security seriously and give it equal weight to a product's functionality.
I have seen many developers forgo implementing security measures in favour of building out new functionality for their users. While functionality is important, if you don’t have a secure platform that your users trust, no one will want to use your product.
A narrative we like to push at Moonward is always assume that someone is trying to do something malicious with your code, so don’t give them the opportunity to.
There are many layers and levels to this data breach, and it is safe to assume that not everyone in this company would have full knowledge on the security measures in place to protect themselves.
From the outside looking in, you would assume that Optus would hire the cream of the crop in terms of software developers in Australia. Afterall they are a billion dollar company and hold a strong market presence here.
But, it would not be so bold to say that this data breach is an example of some extreme and prolonged negligence from Optus. Software developers should know their code like the back of their hand, especially when they are working on a product for a prolonged period of time, to not know that there was open APIs and endpoints is a big misjudgement for the Australian superpower.
Australia does have cyber security guidelines requirements for certain sectors. Unfortunately, the telecommunications providers in Australia were approached to review their own systems and denied needing any guidance.
If you have been affected by Optus please follow this link: https://www.cyber.gov.au/have-you-been-hacked
The Australian Government is also offering support to renew some information you believe has been compromised.
.svg)
.svg){kind=logo}
