Scary news dominated the headlines constantly this year, with breaches, bugs and attacks involving Home Depot, Heartbleed, iCloud, Sony and others.
Unfortunately, security experts say the attacks will only continue. But they’re hoping there’s a silver lining to this brutal year: the start of a long-overdue conversation about the potential attacks that threaten everyone online.
Nation-State Attacks
There are new revelations about one of the most significant hacks the NSA and its partnering spy agency, the UK’s GCHQ, are known to have committed. That hack involved Belgium’s partly state-owned telecom Belgacom. When the Belgacom hack was first exposed in the summer of 2013, it was quickly hushed up. Belgian authorities made nary a sound of protest over it. All we knew was that the spy agencies had targeted system administrators working for the telecom in order to gain access to special routers the company used to manage customer cell phone traffic. New revelations about the Regin malware used in the hack, however, show how the attackers also sought to hijack entire telecom networks outside of Belgium so they could take control of base stations and monitor users or intercept communications. Regin is clearly just one of many tools the spy agencies have used to undermine private company networks.
Extortion
Controversy still swirls around the Sony hack and the motivation for that breach. But whether the hackers breached Sony’s system to extort money or a promise to shelve The Interview, hacker shakedowns are likely to occur again. The Sony hack wasn’t the first hacker extortion we’ve seen. But most of them until now have occurred on a small scale—using so-called ransomware that encrypts a hard drive or locks a user or corporation out of their data or system until money is paid. The Sony hack—possibly perpetrated by hacktivists aided by a disgruntled insider or nation-state-backed hackers, according to the government and various alternative theories—is the first high-profile extortion breach that involved threats of data leaks. This kind of hack requires more skill than low-level ransomware attacks, but could become a bigger problem for prominent targets like Sony that have a lot to lose with a data leak.
Data Destruction
The Sony hack announced another kind of threat we haven’t seen much in the U.S.: the data destruction threat. The attackers behind the breach of Sony Pictures Entertainment didn’t just steal data from the company; they also deleted it. It’s a tactic that had been used before in attacks against computers in South Korea, Saudi Arabia and Iran—in South Korea against banks and media companies and in Saudi Arabia and Iran against companies and government agencies involve in the oil industry. Malware that wipes data and master boot records to render systems inoperable. Good data backups can prevent an attack like this from being a major disaster. But rebuilding systems that are wiped like this is still time-consuming and expensive, and you have to make sure that the backups you restore are thoroughly disinfected so that lingering malware won’t re-wipe systems once restored.
Bank Card Breaches
In the last decade there have been numerous high-profile breaches involving the theft of data from millions of bank cards—TJX, Barnes and Noble, Target and Home Depot to name a few. Some of these involved hacking the point-of-sale systems inside a store to steal card data as it traversed a retailer’s network; others, like the Barnes and Noble hack, involved skimmers installed on card readers to siphon card data as soon as the card was swiped. Card issuers and retailers are moving to adopt more secure EMV or chip-‘n’-PIN cards and readers, which use an embedded microchip that generates a one-time transaction code on in-store purchases and a customer-entered PIN that makes stolen data less useful to card thieves. As a result, card breaches like this are expected to decline. But it will take a while for chip-‘n’-PIN systems to be widely adopted.
With the shift to EMV cards, hackers will simply shift their focus. Instead of going after retailers for card data they’ll simply target card processors that handle payroll accounts. In recent hacks involving the theft of $9 million and $45 million, hackers broke into the networks of companies responsible for processing pre-paid card accounts for payroll payments. After artificially increasing the balance and withdrawal limit on a handful of payroll accounts, mules around the world then cashed out the accounts through hundreds of ATM withdrawals in various cities.
Third-Party Breaches
In recent years we’ve seen a disturbing trend in so-called third-party hacks, breaches that focus on one company or service solely for the purpose of obtaining data or access to a more important target. In the Target breach when hackers got into the retailer’s network through a heating and air-conditioning company that did business with Target and had access to its network. But this is low-level compared with more serious third-party breaches against certificate authorities and others that provide essential services. A breach against RSA Security in 2011 was aimed at getting the hackers access to RSA security tokens used by government agencies and corporations to secure their systems. And a breach of certificate authorities—such as one involving a Hungarian certificate authority in 2011—provides hackers with the ability to obtain seemingly legitimate certificates to sign malware and make it look like legitimate software. Similarly, a breach of Adobe in 2012 gave the attackers access to the company’s code-signing server, which they used to sign their malware with a valid Adobe certificate. Third-party breaches like these are a sign that other security measures have increased. Hackers need to resort to stealing certificates because operating systems like Windows now come with security features that prevent certain code from installing on them unless it’s signed with a legitimate certificate. These kinds of breaches are significant because they undermine the basic trust that users have in the internet’s infrastructure.
Critical Infrastructure Attack
Until now, the most serious breach of critical infrastructure we’ve seen occurred overseas in Iran when Stuxnet was used to sabotage that country’s uranium enrichment program. But the days when critical infrastructure in the U.S. will remain untouched are probably drawing to a close. One sign that hackers are looking at industrial control systems in the U.S. is a breach that occurred in 2012 against Telvent, a maker of smart-grid control software used in portions of the U.S. electrical grid as well as in some oil and gas pipeline and water systems. The hackers gained access to project files for the company’s SCADA system. Vendors like Telvent use project files to program the industrial control systems of customers and have full rights to modify anything in a customer’s system through these files. Infected project files were one of the methods that Stuxnet used to gain access to Iran’s uranium-enrichment systems. Hackers can use project files to infect customers or use the access that companies like Telvent have to customer networks to study the customer’s operations for vulnerabilities and gain remote access to their control networks.
Recent Vulnerabilities
POODLE
The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated “September 2014” ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.
The CVE-ID associated with the original POODLE attack is CVE-2014-3566. F5 Networks filed for CVE-2014-8730 as well.
POODLE exemplifies a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability. When designing systems in domains with high levels of fragmentation, then, extra care is appropriate. In such domains graceful security degradation may become common.
To mitigate the POODLE attack, one approach is to completely disable SSL 3.0 on the client side and the server side. However, some old clients and servers do not support TLS 1.0 and above. Thus, the authors of the paper on POODLE attacks also encourage browser and server implementation of TLS_FALLBACK_SCSV, which will make downgrade attacks impossible.
Another mitigation is to implement “anti-POODLE record splitting”. It splits the records into several parts and ensures none of them can be attacked. However the problem of the splitting is that, though valid according to the specification, it may also cause compatibility issues due to problems in server-side implementations. Opera 25 has implemented this mitigation in addition to TLS_FALLBACK_SCSV.
Heartbleed
Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. Heartbleed may be exploited regardless of whether the party using a vulnerable OpenSSL instance for TLS is a server or a client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from “heartbeat”. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed.
Heartbleed is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug. A fixed version of OpenSSL was released on April 7, 2014, on the same day Heartbleed was publicly disclosed.
At the time of disclosure, some 17% (around half a million) of the Internet’s secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers’ private keys and users’ session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug “catastrophic”. Forbes cybersecurity columnist Joseph Steinberg wrote, “Some might argue that Heartbleed is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.” As of May 20, 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to Heartbleed.
TLS implementations other than OpenSSL, such as GnuTLS and Mozilla’s Network Security Services, are not affected, as the defect lies in OpenSSL’s implementation rather than in the Internet protocol itself. Consequently, none of Microsoft’s products or services are affected by Heartbleed.
Shellshock
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
Stéphane Chazelas contacted Bash’s maintainer, Chet Ramey, on 12 September 2014 telling about his discovery of the original bug, which he called “Bashdoor”. Working together with security experts, he soon had a patch as well. The bug was assigned the CVE identifier CVE-2014-6271. It was announced to the public on 24 September 2014 when Bash updates with the fix were ready for distribution.
The first bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables. Within days of the publication of this, intense scrutiny of the underlying design flaws discovered a variety of related vulnerabilities, (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187); which Ramey addressed with a series of further patches.
Attackers exploited Shellshock within hours of the initial disclosure by creating botnets of compromised computers to perform distributed denial-of-service attacks and vulnerability scanning. Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.
Shellshock could potentially compromise millions of unpatched servers and other systems. Accordingly, it has been compared to the Heartbleed bug in its severity.
Apple Inc. commented that OS X systems are safe by default, unless users configure advanced UNIX services. Such advanced users are typically capable of turning the services off until a patch built using Xcode can be implemented. Although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until 29 September 2014, at which time the OS X bash Update 1.0 was released.
