E-Crime and SMEs: Lush Cosmetics - Case Study Example

TABLE OF CONTENTS E – Crime and SMEs 2 Case study – Lush Cosmetics 2 Introduction 2 Data Protection Laws 3 Methods of Hacking 5 Reasons for Hacking Attack in Lush Cosmetics 6 Tools Used for Hacking 6 SQL Injection 6 Recommendations to Counter SQL Injection 9 Constrain Input 10 Using Parameters with Stored Procedures 10 Using Parameters with Dynamic SQL 10 Conclusion 10 References 11 E – Crime and SMEs Case study – Lush Cosmetics Introduction The UK based cosmetics company, Lush Cosmetics was hacked on 20 January 2011. During this attack, the personal data, such as credit card details of some 5,000 of its customers was stolen. Although, the Information Commissioner’s Office (ICO) refrained from imposing a fine upon Lush, it was directed to provide an undertaking that it would rectify defects in its information technology systems and adopt certain practices. This breach and the subsequent investigation with the ICO, encompassed seven months (Hill & Allnutt, 2011, p. 87). Subsequent to the hacking attack, Lush advised its customers, who had placed online orders with it, since 4 October 2010 to communicate with their banks, as there was every possibility that their credit card details had been acquired by the hackers. Such attacks on the Internet are commonplace, and there are a large number of websites, which suffer from serious security flaws. It has been conjectured that Lush had been beset with the problem of ‘SQL Injection’, which had been identified on the Italian website of Lush. A similar problem had been experienced by the web site of the UK Parliament (xibis, 2011). Subsequent to the hacking attack on Lush, it has come to light that several of its customers have reported that money had been stolen from them, via their credit cards. Lush was shut down on 21 January 2011, after the hacking attack, and a large number of its customers had complained about the fraudulent use of their credit cards (BBC NEWS Technology, 2011). Moreover, on 9 April 2008, the British Chamber of Commerce (BCC) released a report, ‘Invisible Crime: A Business Crime Survey’. This report disclosed that between January and March 2008, around 94% of the enterprises had been subjected to spam attacks, and that 31% of these enterprises had become the victims of online phishing. It was also disclosed by this report that a comparatively greater number of organisations with less than 50 employees and a turnover that was less than £1million, and people working from home were affected by these attacks (SPAMfighter, 2008). Data Protection Laws Although, the data protection laws do not require a company to employ all its funds towards ensuring the security of its data, these laws do require businesses to enter into suitable contracts with their IT systems operators and website, and to check their data on a regular basis and take prompt action on suspecting a breach (Computer Weekly, 2011). These requirements become more stringent, as the importance of the data increases, and with an increase in the number of people who stand to be affected. On being subjected to such attacks, the affected business has to address the issues as expeditiously as possible. In addition, ICO has been provided with new powers, which could make such business liable to be penalised (Computer Weekly, 2011). This penalty amount can extend up to £500,000, depending upon the seriousness of the breach of the data legislation. During times of economic difficulty, businesses could prefer to reduce costs drastically and regard data security as unimportant. After the Lush incident, businesses should ensure that customer details are adequately protected (Computer Weekly, 2011). Cyber security does not seem to be of importance to organisations. This disturbing observation was made by Brian Hay, the Fraud and Corporate Crime Group’s Detective Superintendent. He stated that in eight years, he had seen just one organisation that had attached importance to preventing hacking attempts. Many organisations transfer responsibility for cyber security to the technical staff (Kidd, 2012, p. 29). Hay is of the opinion that organisations are relying on software rather than developing a culture that promotes security. Behaviour is critical to the safety of an organisation, and if it is not strengthened then the organisation will remain vulnerable. With the introduction of the carbon tax, scammers and organised crime have been provided with a vast array of opportunities to target companies (Kidd, 2012, p. 29). This is especially true with regard to the purchase and sale of carbon credits. European companies have already been subjected to a number of hacking attacks, with regard to their carbon – credit information. It is therefore necessary for organisations to protect their vital information by employing technology, investing in the security of that technology and by developing a secure culture (Kidd, 2012, p. 29). Methods of Hacking A large number of websites, and this is especially true of the e – commerce websites, have underlying databases that store product information, order data, or even simple news items. A reference number, or text from a link or form, is taken by these sites and a question is appended to it prior to sending it to the database, in order to display product information on a web page (xibis, 2011). For example, a user might click with the mouse, on a link that ends in “?id=5”, so as to access the page that displays all the products in the 5th category. The website, adds the number 5 to a question that it transmits to the database. In effect, the query would be to display the information related to products in the 5th category. The security lapse, arises when the database does not verify the information that is passed, and routinely appends it onto the question and transmits it to the database. This can be manipulated by the hacker to procure any information from the database. The hacker appends suitable characters to the end of the link and obtains any kind of information (xibis, 2011). Lush had announced that it would stay off the Internet, till such as it did not deploy an improved and significantly safer website. It even made the statement that it had undertaken a comprehensive external forensic investigation, with regard to the security breach. The results of this investigation would be closely scrutinised, so as to ensure that such security lapses did not recur (Computer Weekly, 2011). Reasons for Hacking Attack in Lush Cosmetics In what has been described by certain experts as a potential brand destroyer, Lush underwent a major compromise of its e – commerce operation. The hacking attack was discovered during Christmas 2010, and till the New Year, Lush discontinued its online trading. The company was able to establish that the attack was by cyber – criminals who were stealing credit card information. Subsequently, Lush has taken down the website (2011, p. 4). An investigation was conducted by the ICO, which concluded that Lush had failed to adopt the measures necessary for securing the payment details of its customers. It was deemed to have insufficient protection to prevent a sustained cyber – attack on its website. Moreover, Lush did not implement proper methods to quickly detect suspicious activity on its website. This resulted in considerable delay in identifying the security breach (Nguyen, 2011). Although Lush had taken some measures to protect the data of its customer, it had failed to conduct regular security checks. Moreover, it had failed to adhere to the safety standards relating to the security of credit card payments. Tools Used for Hacking SQL Injection SQL injection functions by tricking the script into including malicious strings, at the time of creating SQL to send to the database. Therefore, if the actual SQL is sent separately from the parameters, then the risk of achieving a result other than what was aimed for, is limited. The transmission of parameters by using a prepared statement ensures that these are treated as strings (stackoverflow, 2013). For instance, if the $name variable contains ‘Sarah; DELETE * FROM employees, the result would be nothing more than a search for the string “‘Sarah’; DELETE * FROM employees”. In other words, it would not be interpreted as a command to delete all the rows from the employees table. Moreover, prepared statements ensure that executing the same statement for many times in the same session will only parse and compile once, which provides speed gains (stackoverflow, 2013). While targeting a web application, criminals use more than one procedure. It has been stated in Hacking Techniques in Wired Networks that an attack proceeds through a number of steps that use more than one hacking method (Sharadqeh, et al., 2012, p. 339). SQL injection involves the addition of SQL statements via the input fields of the web application or hidden parameters. The objective is to obtain access to resources or to make changes to the database. A resource field can be defined, in most of the cases, as a database column that contains important customer data. The process of validation ensures that the SQL statements do no consist of illegal code that is aimed at procuring unauthorised information. Such hacking is possible with any database, as no vendor has been able to come up with a cyber – attack immune system. It is important to understand that SQL injection is not a defect that is restricted to the Microsoft SQL Server. (Sharadqeh, et al., 2012, p. 340). In the login screen show above, if the form field of the web page for the username failed to validate and permitted the input 1=1 or - -, then the resulting query would be SELECT *FROM Login WHERE Username = ‘ ‘ or 1=1 - - AND password = ‘ ‘ (Sharadqeh, et al., 2012, p. 341). At this juncture, the query has been sent to the database engine, which will provide all the records in the database. If other code is used along with this, then a list of usernames and corresponding passwords in the database will be returned by the query. On obtaining such data, connectivity to the database would have been achieved and the so called toehold phase of hacking would have been completed (Sharadqeh, et al., 2012, p. 341). After this phase, the criminal can proceed to the advancement phase by writing all the usernames and passwords into a file that can be transferred to the computer of the criminal. The other phases of hacking can be completed by resorting to SQL injection and database query commands. This will make it possible to access and compromise multiple servers (Sharadqeh, et al., 2012, p. 341). HTTP is permitted through every network firewall, and this leaves the network susceptible to external attackers. Moreover, the HTTP is a very open protocol, which frequently integrates XML and SOAP to facilitate Web service functions. Another development has been the proliferation of Web 2.0 architectures, which has destroyed the traditional network boundaries. This in turn has made it much more difficult to secure input and output on the Web (Barnett, 2010). Recommendations to Counter SQL Injection To safeguard an application from the SQL injection, the following measures need to be taken. Constrain Input All input to ASP.NET applications should be validated for type, length, format, and range. Restricting the input utilised in the data access queries protects applications from SQL injection attacks. If the server controls, use ASP.NET validator controls, such as the RangeValidator and RegularExpressionValidator should be employed to constrain input. If regular HTML input controls are used, then Regex class should be utilised in the server – side code to constrain input. Using Parameters with Stored Procedures Using Parameters with Dynamic SQL (Meier, et al., 2005) Conclusion Web attacks are aimed at exploiting the connectivity, intricacy and extensibility of the Internet. This is independent of the motive, target or vector. The absence of validating input, inadequate configuration of the database and according priority to new features at the cost of security permits hackers to gain access to sensitive information. The Internet provides unprecedented connectivity; however, this is both a blessing and a curse. References Lush attacked. 2011. Computer Fraud & Security, 2011(2), p. 4. Barnett, R., 2010. The State of Web Security Issues. [online] Available at: [Accessed 14 April 2013]. BBC NEWS Technology, 2011. Lush hackers cash in on stolen cards. [online] Available at: [Accessed 26 March 2013]. Computer Weekly, 2011. Lush hacking a reminder of data security threats, says law firm. [online] Available at: [Accessed 26 March 2013]. Hill, P. & Allnutt, H., 2011. Closing the breach. insider quarterly, Issue 39, pp. 86 – 87. Kidd, R., 2012. Time to get serious with cyber security. The Courier – Mail, 23 January, p. 1. Meier, J. D. et al., 2005. How To: Protect From SQL Injection in ASP.NET. [online] Available at: [Accessed 15 April 2013]. Nguyen, A., 2011. Lush breached Data Protection Act, ICO confirms. [online] Available at: [Accessed 14 April 2013]. Sharadqeh, A. A. M. et al., 2012. Review and Measuring the Efficiency of SQL Injection Method in Preventing E-Mail Hacking. International Journal of Communications, Network and System Sciences, 5(6), pp. 337 – 342. SPAMfighter, 2008. SMEs in Britain Widely Suffer from E – Crime. [online] Available at: [Accessed 26 March 2013]. stackoverflow, 2013. How to prevent SQL injection in PHP?. [online] Available at: [Accessed 14 April 2013]. xibis, 2011. Lush.co.uk hacked. [online] Available at: [Accessed 26 March 2013]. Read More