Taobao’s security breach from a log erspective
Taobao.com, one of the world’s top 10 most visited websites, just faced what seems like a brute force attack of staggering proportions on its user accounts. Taobao is a Chinese buying-and-selling site owned by China’s online giant, Alibaba, and offers a consumer-to-consumer (C2C) retail platform, where users are not buying from the website but through sellers offering their goods on it.
It seems the attackers didn’t attempt to breach Taobao’s own systems but used a very large database of usernames and passwords that stem from previous hacks of various other web sites. They then used these credentials for massive automated login attempts to Taobao.com. Because many people use the same name and password on different web sites, a number of these login attempts were successful. What makes this particular case special is the dimension: Reports say the hackers executed approximately 100 million login attempts, and almost 21 million of these turned out to be successful.
Some of the key learnings from Taobao’s security breach, from a log data perspective:
- Log management and log monitoring are crucial security assets. Logs are where login attempts and other system activities are being recorded, and they are where suspicious events can be tracked.
- Proactive, automated detection of unusual activity, like anomaly detection, is a must-do. The complexity of modern web sites and their levels of traffic result in log data volumes that can only be machine-monitored.
- Website operators should proactively define alerts based on log event patterns that might reveal attacks. You might not be able to know every potential attack pattern in advance, so this is not an easy task. But if you don’t analyze your logs and look for what’s going on, you’ll never be able to detect suspicious activity. Also, try to anticipate what normal activity on your system might be used to fly under the radar. In Taboo’s case, it looks as if the hackers’ activity didn’t trigger any alerts because multiple login attempts to a single account were considered normal.
- Even very large amounts of log data need to be retained and archived. In the case of a successful attack, you would need to be able to analyze past events, be it to understand what exactly happened or to provide forensic data for a potential legal aftermath (which could be prosecuting the attackers or just defending yourself against charges). In most cases, you can’t and you don’t have to archive everything forever, but you need to carefully think through what a reasonable log data retention time is for your business.