[BreachExchange] 2017 Was A Nightmare Year For Security

Inga Goddijn inga at riskbasedsecurity.com
Wed Jan 3 10:41:04 EST 2018


2017 has been a unique and tough year
<http://www.cnn.com/specials/world/year-in-review-2017> in many ways,
plagued by natural and man-made disasters alike. Warm waters in the
Caribbean and Gulf of Mexico spun up massive hurricanes, another major
earthquake rocked Mexico City, and monsoon rains in South Asia caused
immense damage and loss of life. Mother Nature wasn’t alone in wreaking
havoc, as we continue to see political conflicts around the world causing
mass displacement, unrest and even renewed fears military conflict is
coming soon. That said, while we tend to focus on the negative events,
there are websites that point out the great things happening
<https://thehappinesswagon.com/> worldwide, and there were positive events
this past year including the captivating Great American Eclipse
<https://www.greatamericaneclipse.com/>, a truly unique experience shared
by millions.

Unfortunately, trying to find 2017’s positive news in the information
security world has proven to be quite difficult. Plainly put, it has not
been a good year when it comes to cyber security.  While people are busy
working on and publishing their 2018 predictions (which we tend to find
quite useless for the most part), we thought it would make more sense to
first reflect on 2017 and try to better understand the root cause for the
many things that went wrong.
*Just How Bad Was 2017?*

   - As of December 31, there were over *5,000 publicly disclosed data
   breaches in 2017*. Without a doubt that makes it the worst year in terms
   of frequency, as the previous highest year was 4,190.  This brings the
   all-time total up to over *28,800 data breaches.*
   - When we published our third quarter DataBreach QuickView Report
    it had already been the worst year ever recorded in terms of the amount of
   records exposed. There has been *7.8 Billion records exposed* thus far.
   The previous highest was 2016 as well, and that was originally 4.3 Billion,
   but just recently upped to 6.3B due to Yahoo! updating their breach. This
   now brings us up over *19+ Billion records exposed all time.*
   - When looking at the software that organizations rely on, there were over
   20,000 vulnerabilities disclosed in 2017.
   <https://vulndb.cyberriskanalytics.com/#statistics> Last year there were
   15,866 disclosed vulnerabilities, a 25.5% increase in reported weaknesses.

*This means that 2017 was the worst year on record for frequency and
severity of data breaches as well as the most vulnerabilities disclosed
that we’ve ever seen.*
*2017 Security Events*

To illustrate the point, we have curated some of the more significant and
newsworthy events by month from 2017. While we do not intend for this to be
a comprehensive list, we do consider these events as representative of the
current state of the information security industry.

   - *Chinese Data Breaches*
      - There were two sizeable data breaches impacting Chinese
         - EmailCar (Shanghai Spring Rain Information Technology Co., Ltd.)
            - Date: 2017-01-01
            - 267,693,854 email addresses and phone numbers exposed in an
            unsecure MongoDB installation and dumped on the Internet
         - NetEase, Inc. dba 163.com
            - Date: 2017-01-25
            - 1,221,893,767 email addresses and passwords stolen by hackers
            and sold on the Dark Web by DoubleFlag

   - *Kaspersky Arrest*
      - A key cybercrime investigator at Russia’s biggest cybersecurity firm
      Kaspersky, was arrested on charges of treason, Russia’s Kommersant
      newspaper <http://www.kommersant.ru/doc/3200840> reported.

   - *FTC v. D-Link*
      - The FTC sued D-Link
      over unsecure routers and webcams.
      - With these complaints the commission has recognized the inherent
      danger in the growing number of connected devices, which can both leave
      consumers at risk and be used maliciously.
      - While this was a another potential big step in the ongoing efforts
      of the FTC to address the growing consumer risk of insecure Internet of
      Things devices, 3 of the 6 complaints were later dismissed i

   - *WhatApp Backdoor*
      - A security researcher discovered a backdoor in WhatsApp’s
      method of end-to-end encryption.
      - Concern was raised about the potential of a government agency being
      effectively granted access to read messages.


   - *CloudBleed*
      - Tavis Ormandy from Google’s Project Zero contacted
      <https://twitter.com/taviso/status/832744397800214528> Cloudflare to
      report a security problem with their edge servers. He was seeing
      web pages being returned by some HTTP requests run through Cloudflare.
      - This was a significant vulnerability
      leaking sensitive data in a cloud solution that at the time was
      6 million websites.

   - *Philippines List of Registered Voters Exposed*
      - Republic of the Philippines Commission on Elections (COMELEC)
      - Date: 2017-02-16
      - 55,195,674 voter records contained in the National List of
      Registered Voters (NLRV) and Voter Search application as well as an
      additional 58,346 biometric records belonging to Wao, Lanao del
Sur voters
      held on stolen computer

   - *White House Cyber Security Shakeup*
      - The Chief Information Security Officer for the White House’s
      Executive Office of the President was removed from his position


   - *ShadowBrokers Dump*
      - An anonymous group calling themselves the Shadow Brokers
      gained access to NSA hacking tools and exposed vulnerabilities including
      some significant exploits.

   - *Wikileaks Vault 7 – CIA Leak*
      - Wikileaks published CIA material
      with revelations included iOS and Android vulnerabilities, bugs
in Windows,
      and the ability to turn some smart TVs into listening devices.


   - *Cylance Layoffs*
      - Cylance, one of the strongest recent success stories in the
      security market was hit by a round of layoffs
      multiple sources close to the company told CRN.

   - *Zero Days*
      - Four 0-days were discovered in the wild. One in Ghostscript
      <http://ghostbutt.com/>, one in Microsoft Internet Explorer, and two
      in Microsoft Office. One of the Microsoft Office vulnerabilities
have been
      very actively exploited since then (CVE-2017-0199).


   - *WannaCry*
      - The now infamous and widespread WannaCry worm ransomware
      event causes major outages. This event was due to ShadowBrokers/NSA
      exploits that were published earlier in the year.
      - Costs due to this event have been estimated to be as high as $4B USD

   - *DU Group dba DU Caller Breach*
      - Date: 2017-05-13
      - 2,000,000,000 user phone numbers, names, and addresses
      inappropriately made accessible to others through an uncensored public

   - *OneLogin Breach*
      - Date: 2017-05-31
      - Single sign on service OneLogin has AWS keys snatched
      <https://www.onelogin.com/blog/may-31-2017-security-incident>, giving
      persons unknown access to their AWS platform and for a few
hours, access to
      database tables


   - *Petya / NotPeyta*
      - On the heels of WannaCry another ransomware event hit in June
      called NotPetya
      (dubbed NotPetya because it masquerades as the Petya
      - A firm called M.E.Doc’s accounting
      software was compromised and used to spread the ransomware.
      - The NotPetya event caused serious disruption to businesses around
      the world, reportedly costing TNT Express FedEx $300M USD
      and a similar amount for shipping giant Maersk
      who was also got hit by the malware.

   - *Deep Root Analytics Breach*
      - Date: 2017-06-19
      - Approximately 198,000,000 voter names, addresses, dates of birth,
      phone numbers, party affiliations, ethnicities, voter
registration details,
      Do-Not-Call statuses, and policy preference scores left exposed in an
      unsecured Amazon S3 bucket.


   - *HBO Hack*
      - Hackers attack HBO
      and say that they have stolen and leaked a trove of HBO data onto the
      Internet, including a script for an upcoming episode of “Game of Thrones”
      as well as video of new episodes of shows such as “Ballers”, “Insecure”,
      and “Room 104”. And, they say, there’s more to come.

   - *Reliance Jio Infocomm Ltd Breach*
      - Date: 2017-07-09
      - 120,000,000 customer names, phone numbers, email addresses, and SIM
      activation dates accessed by hackers using stolen login credentials

   - *Electronic Voting Machines Hacked @ DEF CON*
      - Participants were able to successfully breach the software of U.S.
      voting machines
      in less than two hours at a competition in Las Vegas.


   - *MalwareTech Arrested*
      - Marcus Hutchins
      Cybersecurity expert hailed for stopping WannaCry attack was quietly
      arrested as the British resident prepared to fly out of Las
Vegas, the site
      of DEF CON conference.
      - The widely celebrated cybersecurity researcher
      <https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/> was
      indicted on charges of developing software that has stolen banking
      credentials from an untold number of people.

   - *Abbott Pacemaker Recalls*
      - Medical device maker Abbott announces
      that it is voluntarily recalling some 465,000 pacemakers to install a
      firmware update to patch vulnerabilities in the devices.

   - *Unknown Organization Breach*
      - Date: 2017-08-29
      - 711,000,000 email addresses, passwords, and SMTP credentials
      exposed on the Internet due to a misconfigured spambot database


   - *Bluetooth (Blueborne)*
      - New vulnerabilities
      were disclosed in computers and mobile devices that leaves them
      to attack via Bluetooth.
      - The BlueBorne exploit doesn’t require user permission or to even
      pairing with devices, and it can simply connect over the air and access
      networks or install malware.

   - *Kaspersky Banned*
      - The US government bans federal agencies from using cybersecurity
      software made by Russian company Kaspersky Lab
      over fears that the firm has ties to state-sponsored spying programs
      - Best Buy pulls Kaspersky Lab products
      after concerns over ties to the Russian government.

   - *Equifax Breach*
      - Equifax has a data breach
      that discloses 145,500,000 consumers’ names, dates of birth, Social
      Security numbers, addresses, and driver’s license numbers, as well as
      209,000 credit or debit card numbers and 182,000 dispute documents
      containing unknown personal identifying information. The breach is caused
      by hackers exploiting a vulnerability known as Struts Shock in the Apache
      Struts framework, which Equifax had neglected to fix.

   - *Deloitte Breach*
      - While most were paying attention to the Equifax breach, Deloitte
      ends up having a substantial breach disclosed as well.
      - It was reported
      that the hacker compromised the firm’s global email server through an
      “administrator’s account” that, in theory, gave them privileged,
      unrestricted “access to all areas”.


   - *WPA2 – Wireless Broken*
      - The KRACK (Key Reinstallation Attacks) vulnerability is disclosed
      <https://www.krackattacks.com/> which details a flaw in WPA2’s
      cryptographic protocols
      <https://www.wired.com/story/krack-wi-fi-wpa2-vulnerability/>, which
      could be exploited to read and steal data that would otherwise
be protected.

   - *Introduction of Hack Back USA Regulation*
      - In the US, Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona,
      a revised version of the Active Cyber Defense Certainty Act (an
update of a
      bill discussion draft that Graves proposed back in March
      once again proposing the “use of limited defensive measures that
exceed the
      boundaries of one’s network in order to monitor, identify and stop
      - Many cyber security professionals believe that the idea of legal
      hacking back is a horrible idea.

   - *Microsoft Internal Security Bugs DB Hacked*
      - It becomes public
      according to five former employees, Microsoft’s secret internal database
      for tracking bugs in its own software was broken into in 2013 by a highly
      sophisticated hacking group.


   - *Root9B RIP*
      - IT security may be a hot industry, but just because you say you do
      security doesn’t mean you will have a successful company.
      - Root9B
      was the company that was listed as #1 Hottest Company by
      Cybersecurity Ventures 500 for 6 consecutive quarters
      until suddenly it wasn’t anymore (On Nov. 13, root9B Holdings issued a
      press release
      saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing
      operations at the end of this year.).
   - *Infosec Community Sexual Harassment*
      - Report publishe
      that Morgan Marquis-Boire – well known in the security community –
      confesses to countless sexual assaults.
      - Report publishe
      that John Draper – legendary hacker – is kicked out of a conference for
      alleged sexual assault of minors.

   - *Tio Network Breach*
      - “Security vulnerabilities” force PayPal to shut down operations of
      the recently purchased
      subsidiary TIO Networks.
      - Within days of announcing the breach, a proposed investor class
      action suit was filed, accusing PayPal of hiding the incident and causing
      the stock price to drop. PayPal acquired TIO Networks for 238M in a deal
      that closed in July of 2017 and chose to shutter the service in early
      November – a short 4 months after the acquisition was complete. While the
      scope of the event is still unfolding, the failure to fully vet TIO’s
      security posture ahead of the deal has the potential to cost PayPal as
      much, if not more, than the purchase price already paid.

   - *Uber Breach / Bribe*
      - Uber announces that 57M customer contact details and another
      600,000 drivers’ personal information was exposed in a 2016 breach. The
      late disclosure would have been bad enough, but details emerged
that former
      employees of the company seemingly paid the perpetrators $100,000 to
      keep the incident quiet
      and delete the stolen data.
      - It was later reported that Uber used the HackerOne
      bug bounty platform to pay this “bounty”.

   - *Apple High Sierra Password Vulnerability*
      - A major Apple security flaw
      grants admin access on macOS High Sierra without supplying a password.

   - *Boeing 757 Hack Disclosed*
      - It is announced publicly that in the previous year, DHS was able to
      hack a Boeing 757
      radio frequency communications without touching the plane.


   - *FCC Repeals Net Neutrality*
      - No one is really clear what this will actually mean
      for the Internet at this point, but there could also potentially
be impacts
      for information security as well.

   - *Kaspersky Banned*
      - Trump signs into law
      the banning of Kaspersky products in the government.

   - *US Blames North Korea for Wannacry*
      - The Trump administration publicly blames North Korea
      for unleashing the WannaCry cyber attack that crippled hospitals, banks,
      and other companies across the globe earlier this year.
      - Although the attack reportedly only generated about $50,000
      in ransom for the perpetrators, payments were made in Bitcoin. Since the
      attack in May, the value of Bitcoin has increased from
approximately $2,000
      USD per coin to $13,000 USD by late December. If the attackers
have held on
      to the coin, the value of the payoffs will have increased 5 times over.

   - *Wassenaar Arrangement*
      - A group of 41 nations gathered
      to officially update the language of the Wassenaar Arrangement,
a voluntary
      agreement governing certain export controls for classified dual-use
      software and technology, otherwise known as “cyberweapons.”

While there are many more worldwide events that can be included in this
list, a lot of the issues detailed above were quite serious, with
substantial impact to organizations and their customers alike. What isn’t
clear is that, of all of the security topics the media focused on in 2017,
why these following events failed to make headlines.
*Power Grid Issues/Attacks Imminent*

   - ICS/SCADA software continues to see critical vulnerabilities
   disclosed, as we tracked 359 in 2017 in our VulnDB platform
   - The DHS warned
   in October 2017 that they were seeing targeted attacks and “Based on
   malware analysis and observed [indicators of compromise], DHS has
   confidence that this campaign is still ongoing, and threat actors are
   actively pursuing their ultimate objectives over a long-term campaign,” DHS
   and FBI wrote in a joint technical alert
   <https://www.us-cert.gov/ncas/alerts/TA17-293A> in October.
   - In May 2017, there were power outage concerns outlined
   in the cyber security order.
   - The real question at this point is whether or not some of the media
   posts are intending to hype and scare readers
   or actually inform of very real scenarios that need to be addressed.

*Airport / Airline Outages*

   - 2017 saw several substantial outages for the airline industry.
   - Airports around the world
   suffered major technical problems in September 2017 connected to a
   temporary failure of a system for checking in passengers and
luggage. Southwest
   its reservations system provider Amadeus began experiencing outages
   starting, “impacting Southwest Airlines along with other airlines.”
   - Delta outages in January 2017
   due to a technology glitch that canceled hundreds of flights were smaller
   than other episodes in recent months that cost airlines tens of millions of
   dollars, but it still served as a reminder of fragile airline computers
   - The U.S. Government Accountability Office will launch
   an examination of airline IT outages and their impact on the traveling
   public, in the wake of massive technology glitches at Delta Air Lines and
   other carriers that have affected millions of travelers.
   - In May 2017 British Airways
   canceled flights from London’s two biggest airports after “a major IT
   system failure” caused severe disruption to flight operations worldwide,
   the airline said.
   - The issues here seem largely to be related to old IT infrastructure
   and applications outages, but it does highlight how aging IT infrastructure
   and third party failures can be just as disruptive as a major malicious

*Sex Robots May Kill*

   - It was reported in September 2017
   that a cyber security buff has issued a bizarre warning that sex robots
   could one day rise up and kill their owners if hackers can get inside their
   - Another reported surfaced
   saying that sex robots could be used to murder people.
   - There were other reports
   of sexual toys hacked as well in 2017.

*Car Wash Attacks*

   - At the DEF CON conference in August 2017, vulnerabilities were
   disclosed in car washes.
   - There were reports
   that suggested that a vehicle could be trapped and repeatedly smashed by
   the doors as well as doused with water.
   - “We believe this to be the first exploit of a connected device that
   causes the device to physically attack someone,” researchers presenting the
   proof-of-concept say.

The purpose of this post is more than a lament on the state of security.
Rather, let it serve as a reminder to all organizations that there is value
in understanding the underlying factors that caused major security issues
these past 12 months *before* jumping full force into new improvement
initiatives. When looking how data breaches have occurred there are already
some clear common themes that should be factored into any risk-based
approach to security improvement. When we finish our analysis of 2017, we
will publish our Year End DataBreach QuickView that will provide much more

With loads of new technology constantly coming out, we need to be able to
get grips on current assets, work to better secure them, and take time to
fully evaluate the security of any new technology under consideration. At
the same time we need to understand new and expanding challenges such as:

   - Internet of Things
   - Containers
   - Blockchain
   - Drones
   - Virtual Reality / Augmented Reality
   - Self Driving Automobiles
   - Artificial Intelligence (AI) and Machine Learning (ML)

While it may be fun to try to make predictions, the truth is that no one
really knows what 2018 will bring, but we at Risk Based Security will
commit to keep tracking and documenting them all, so we can continue to
learn and improve information security efforts!

We hope everyone has a happy new year and that 2018 won’t be a repeat of
2017 when it comes to security issues!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180103/a7dc389c/attachment.html>

More information about the BreachExchange mailing list