The most innovative and damaging hacks of 2015

The year's most significant attacks highlight how hackers are changing tactics -- and how IT security must evolve in the year ahead

1 2 Page 2
Page 2 of 2

“Hoarding zero-day exploits at both the national and private level is dangerous for everyone. We can’t expect to come out on top if we are sitting on these types of vulnerabilities,” said Tom Gorup, security operations leader at security consulting firm Rook Security.

Not reporting the vulnerabilities to the vendor for fixes means someone else can come along and find the same bug. If it was found in the first place, it stands to reason someone else will eventually find it, too. As Hacking Team learned the hard way, anyone can be breached. And once the vulnerabilities are public, everyone is at risk. Zero-day exploits are not like physical weapons in that the original owner has control over how and when it is used. The weapon can be used right back, with devastating consequences.

“We need to refocus our cyber efforts to a defensive posture and let our infantry and airmen handle the offensive efforts,” Gorup said.

Government services leak too much info

As attacks against government agencies go, the IRS Transcript Service breach was small beans. Only 100,000 people had their information exposed through this breach, which is significantly less than the 21.5 million affected by the OPM breach. The attackers plugged in the victim’s name, address, and Social Security number into the IRS Get Transcript service to obtain detailed information such as income, employer name, and dependents.

More uniquely, attackers used legitimate services to convert basic personally identifiable information to determine detailed data that could be used to falsify tax returns and other forms of financial fraud. The same method can conceivably be used with the Department of Motor Vehicles' online renewal process or with a property appraisal site maintained by the county. With the information obtained through these services, identity theft becomes easier. It was especially effective, as attackers enjoyed a 50 percent success rate using the stolen data, noted Morey Haber, vice president of technology at BeyondTrust.

“Many sites like the Get IRS Transcript website exist all over the Internet for state, local, and federal governments. The IRS was an easy target, but so are the others,” Haber said.

Forget cars, what’s happening with airplanes?

Vehicular hacking burst on to the scene in 2015 and grabbed a lot of security headlines, but we should be worried about all the things we don’t know regarding attacks on airplanes. About the time researchers Charlie Miller and Chris Valasek were exploiting a Chrysler’s UConnect infotainment system to remotely control a 2014 Chrysler Jeep Cherokee, there were reports the group behind the OPM breach had successfully obtained records of origins and destinations of United Airlines passengers, as well as passenger manifests. Another group of attackers also disrupted the IT systems for LOT Polish Airways, which resulted in the airline canceling 20 flights and grounding 1,400 passengers.

Then of course there’s the FBI’s claim that security researcher Chris Roberts caused a plane’s engine to climb when he was poking around aircraft systems while on a United Airlines flight. The jury’s out on whether Roberts actually managed to take over the jet.

Should these attacks concern us? Are airplanes at risk? Both United and LOT have refused to provide any information on the issues.

“The scary answer here is that we don’t know, and that’s both surprising and unsurprising at the same time,” said Johnathan Kuskos, manager of the threat research center at WhiteHat Security.

There are two different types of attacks to worry about. One targets IT systems, such as the airline website and check-in kiosks at the airport. The other targets onboard systems that actually power and control the aircraft. The onboard systems tend to be heavily sandboxed and are locked down. IT systems are more at risk. And according to WhiteHat’s vulnerability statistics report, every online application has at least one serious vulnerability.

“It’s hard to imagine that a professional criminal syndicate or state-sponsored hackers haven’t targeted these major airlines yet,” Kuskos said.

Getting around Apple’s walled garden

Palo Alto Networks this year uncovered XcodeGhost, a malware attack that infected iOS applications and existed in the App Store for months before being detected. The attack relied on iOS developers downloading a compromised version of Xcode, the iOS dev kit. Compromising a toolchain is not a new attack method, and XcodeGhost was extremely successful at infecting developers on a wide scale. The real danger lies in what lessons the XcodeGhost team learned from its success and how it will try again.

The way the malware infected iOS apps before they were distributed into the App Store was completely new, said Ryan Olson, intelligence director at Palo Alto Networks. Developers are vulnerable and attackers can piggy-back on their apps into the App Store, past Apple’s vaunted security measures.

“While the XcodeGhost malware was not particularly dangerous, it was groundbreaking in the way it gained access to millions of devices,” Olson said.

XcodeGhost showed people that Apple’s walled garden can be breached and at a wide scale. It forced app developers to clean up their systems, re-issue their applications, and be better about where they get their developer tools. In order to defend against similar attacks, iOS developers need to understand their dev systems and apps are valuable to attackers looking for ways to target iOS users.

“XcodeGhost was the first truly widespread malware that impacted non-jailbroken phones, it was a massive eye-opener for iOS users who had previously thought they were invulnerable to attack,” Olson said.

Juniper’s unauthorized backdoor scandal

Juniper Networks recently uncovered unauthorized code in its Juniper NetScreen firewalls that could allow attackers to decrypt VPN traffic. The issue arose from the fact that Juniper used Dual_EC_DRBG, a known flawed random-number generator, as the foundation for cryptographic operations in NetScreen's ScreenOS. Juniper claimed it used additional precautions to secure the random number generator. It turned out the safeguards were ineffective.

The backdoor in Dual EC can be viewed as two parts, where one adds a second keyhole that overrides the normal lock on a door, and the other is a specific lock cylinder that fits that keyhole, Matthew Green, a cryptographer and assistant professor at Johns Hopkins University, wrote on Twitter. The attackers replaced the NSA-approved lock cylinder with their own lock cylinder. They wouldn’t have been able to replace the cylinder if the door hadn’t been modified with the keyhole in the first place.

In the end, someone somewhere was able to decrypt Juniper traffic in the United States and around the world. The matter is currently under investigation by the FBI.

“NSA built in a powerful eavesdropping backdoor. The attackers simply repurposed it by changing a few bytes of code,” Green said. “I’ll be honest, while I’ve been worrying about something like this for a long time. Seeing it actually happen is staggering.”

In light of the mounting pressure from government officials on the tech industry over encryption backdoors, what happened to Juniper is a clear example of how backdoors can be abused. 2016 will tell whether law enforcement and government will learn the lesson and back off on those demands.

Understanding 2015

It’s clear from looking at the attacks and breaches this year that the IT security industry is not well-positioned to defend itself. Knowing is half the battle, but there’s a long road ahead for organizations that don’t follow the basics of security best practices. “Security isn’t cheap, and when you’ve historically underinvested in security, what it takes to catch up in both technology investment and human capital is expensive,” said James Carder, CISO at LogRhythm and vice president of LogRhythm Labs.

Related articles

This story, "The most innovative and damaging hacks of 2015" was originally published by InfoWorld.

1 2 Page 2
Page 2 of 2
NEW! Download the Winter 2018 issue of Security Smart