Some thoughts on the vtech Hack
The initial analysis of the hack of vtech electronic learning toys and the consequent exposure of 5,000,000 (that’s five million) customer’s details is quite shocking. It appears that the exploit was a simple SQL injection attack. A SQL injection attack is one where crafting a particular string in response to a form field on a website actually compromises the database connection behind the form and exposes data to the attacker.
We’ve written at length about the need to program in defense and security right at the web code level. We’ve argued that doing so is actually easier than not doing so and indeed produces better more readable and maintainable code. We continually argue that code should be tested, that web sites should be regularly pen-tested and protected by a web application firewall such as CloudFlare or Imperva.
It’s no longer an option, you have to do these things surely? The consequences of ignoring these issues or neglecting the testing for such vulnerabilities or taking other simple precautionary measures, is just inexcusable.
We may not be the cheapest but we do these things, we have developed the techniques and we advise customer to take adequate security protection measures. This up front investment is clearly more efficient than trying to clear up the mess afterwards.