[BreachExchange] 2017 Was A Nightmare Year For Security
Inga Goddijn
inga at riskbasedsecurity.com
Wed Jan 3 10:41:04 EST 2018
https://www.riskbasedsecurity.com/2018/01/2017-was-a-nightmare-year-for-security/
2017 has been a unique and tough year
<http://www.cnn.com/specials/world/year-in-review-2017> in many ways,
plagued by natural and man-made disasters alike. Warm waters in the
Caribbean and Gulf of Mexico spun up massive hurricanes, another major
earthquake rocked Mexico City, and monsoon rains in South Asia caused
immense damage and loss of life. Mother Nature wasn’t alone in wreaking
havoc, as we continue to see political conflicts around the world causing
mass displacement, unrest and even renewed fears military conflict is
coming soon. That said, while we tend to focus on the negative events,
there are websites that point out the great things happening
<https://thehappinesswagon.com/> worldwide, and there were positive events
this past year including the captivating Great American Eclipse
<https://www.greatamericaneclipse.com/>, a truly unique experience shared
by millions.
Unfortunately, trying to find 2017’s positive news in the information
security world has proven to be quite difficult. Plainly put, it has not
been a good year when it comes to cyber security. While people are busy
working on and publishing their 2018 predictions (which we tend to find
quite useless for the most part), we thought it would make more sense to
first reflect on 2017 and try to better understand the root cause for the
many things that went wrong.
*Just How Bad Was 2017?*
- As of December 31, there were over *5,000 publicly disclosed data
breaches in 2017*. Without a doubt that makes it the worst year in terms
of frequency, as the previous highest year was 4,190. This brings the
all-time total up to over *28,800 data breaches.*
- When we published our third quarter DataBreach QuickView Report
<https://www.riskbasedsecurity.com/2017/11/2017-yet-another-worst-year-ever-for-data-breaches/>
it had already been the worst year ever recorded in terms of the amount of
records exposed. There has been *7.8 Billion records exposed* thus far.
The previous highest was 2016 as well, and that was originally 4.3 Billion,
but just recently upped to 6.3B due to Yahoo! updating their breach. This
now brings us up over *19+ Billion records exposed all time.*
- When looking at the software that organizations rely on, there were over
20,000 vulnerabilities disclosed in 2017.
<https://vulndb.cyberriskanalytics.com/#statistics> Last year there were
15,866 disclosed vulnerabilities, a 25.5% increase in reported weaknesses.
-
*This means that 2017 was the worst year on record for frequency and
severity of data breaches as well as the most vulnerabilities disclosed
that we’ve ever seen.*
*2017 Security Events*
To illustrate the point, we have curated some of the more significant and
newsworthy events by month from 2017. While we do not intend for this to be
a comprehensive list, we do consider these events as representative of the
current state of the information security industry.
January
- *Chinese Data Breaches*
- There were two sizeable data breaches impacting Chinese
organizations.
- EmailCar (Shanghai Spring Rain Information Technology Co., Ltd.)
- Date: 2017-01-01
- 267,693,854 email addresses and phone numbers exposed in an
unsecure MongoDB installation and dumped on the Internet
- NetEase, Inc. dba 163.com
- Date: 2017-01-25
- 1,221,893,767 email addresses and passwords stolen by hackers
and sold on the Dark Web by DoubleFlag
- *Kaspersky Arrest*
- A key cybercrime investigator at Russia’s biggest cybersecurity firm
<http://www.businessinsider.com/ap-top-manager-at-russian-cybersecurity-firm-arrested-in-moscow-2017-1>,
Kaspersky, was arrested on charges of treason, Russia’s Kommersant
newspaper <http://www.kommersant.ru/doc/3200840> reported.
- *FTC v. D-Link*
- The FTC sued D-Link
<https://www.theverge.com/2017/1/7/14199232/ftc-sued-d-link-unsecure-routers-webcams-cybersecurity>
over unsecure routers and webcams.
- With these complaints the commission has recognized the inherent
danger in the growing number of connected devices, which can both leave
consumers at risk and be used maliciously.
- While this was a another potential big step in the ongoing efforts
of the FTC to address the growing consumer risk of insecure Internet of
Things devices, 3 of the 6 complaints were later dismissed i
<https://www.engadget.com/2017/09/21/ftc-lawsuit-d-link-lax-router-security-took-hit/>n
September.
- *WhatApp Backdoor*
- A security researcher discovered a backdoor in WhatsApp’s
<http://www.telegraph.co.uk/technology/2017/01/13/whatsapp-messages-can-read-exploiting-security-backdoor/>
method of end-to-end encryption.
- Concern was raised about the potential of a government agency being
effectively granted access to read messages.
February
- *CloudBleed*
- Tavis Ormandy from Google’s Project Zero contacted
<https://twitter.com/taviso/status/832744397800214528> Cloudflare to
report a security problem with their edge servers. He was seeing
corrupted
web pages being returned by some HTTP requests run through Cloudflare.
- This was a significant vulnerability
<https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/>
leaking sensitive data in a cloud solution that at the time was
protecting
6 million websites.
- *Philippines List of Registered Voters Exposed*
- Republic of the Philippines Commission on Elections (COMELEC)
- Date: 2017-02-16
- 55,195,674 voter records contained in the National List of
Registered Voters (NLRV) and Voter Search application as well as an
additional 58,346 biometric records belonging to Wao, Lanao del
Sur voters
held on stolen computer
- *White House Cyber Security Shakeup*
- The Chief Information Security Officer for the White House’s
Executive Office of the President was removed from his position
<http://www.zdnet.com/article/white-house-chief-information-security-officer-departs/>
.
March
- *ShadowBrokers Dump*
- An anonymous group calling themselves the Shadow Brokers
<https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/>
gained access to NSA hacking tools and exposed vulnerabilities including
some significant exploits.
- *Wikileaks Vault 7 – CIA Leak*
- Wikileaks published CIA material
<https://www.riskbasedsecurity.com/2017/03/wikileaks-vault-7-leak-exposes-cia-hacking-documents/>
with revelations included iOS and Android vulnerabilities, bugs
in Windows,
and the ability to turn some smart TVs into listening devices.
April
- *Cylance Layoffs*
- Cylance, one of the strongest recent success stories in the
security market was hit by a round of layoffs
<http://www.crn.com/news/security/300084449/sources-cylance-hit-by-layoffs-company-says-cuts-are-part-of-overall-realignment.htm>,
multiple sources close to the company told CRN.
- *Zero Days*
- Four 0-days were discovered in the wild. One in Ghostscript
<http://ghostbutt.com/>, one in Microsoft Internet Explorer, and two
in Microsoft Office. One of the Microsoft Office vulnerabilities
have been
very actively exploited since then (CVE-2017-0199).
May
- *WannaCry*
- The now infamous and widespread WannaCry worm ransomware
<https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/>
event causes major outages. This event was due to ShadowBrokers/NSA
exploits that were published earlier in the year.
- Costs due to this event have been estimated to be as high as $4B USD
<https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/>
.
- *DU Group dba DU Caller Breach*
- Date: 2017-05-13
- 2,000,000,000 user phone numbers, names, and addresses
inappropriately made accessible to others through an uncensored public
directory
- *OneLogin Breach*
- Date: 2017-05-31
- Single sign on service OneLogin has AWS keys snatched
<https://www.onelogin.com/blog/may-31-2017-security-incident>, giving
persons unknown access to their AWS platform and for a few
hours, access to
database tables
June
- *Petya / NotPeyta*
- On the heels of WannaCry another ransomware event hit in June
called NotPetya
<https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/>
(dubbed NotPetya because it masquerades as the Petya
<https://www.theregister.co.uk/2017/03/15/petya_returns_wrapped_in_extra_vx_nastiness/>
ransomware)
- A firm called M.E.Doc’s accounting
<https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/>
software was compromised and used to spread the ransomware.
- The NotPetya event caused serious disruption to businesses around
the world, reportedly costing TNT Express FedEx $300M USD
<http://www.zdnet.com/article/notpetya-cyber-attack-on-tnt-express-cost-fedex-300m/>
and a similar amount for shipping giant Maersk
<https://www.theregister.co.uk/2017/08/16/notpetya_ransomware_attack_cost_us_300m_says_shipping_giant_maersk/>,
who was also got hit by the malware.
- *Deep Root Analytics Breach*
- Date: 2017-06-19
- Approximately 198,000,000 voter names, addresses, dates of birth,
phone numbers, party affiliations, ethnicities, voter
registration details,
Do-Not-Call statuses, and policy preference scores left exposed in an
unsecured Amazon S3 bucket.
July
- *HBO Hack*
- Hackers attack HBO
<http://www.latimes.com/business/hollywood/la-fi-ct-hbo-game-of-thrones-hack-20170731-story.html>
and say that they have stolen and leaked a trove of HBO data onto the
Internet, including a script for an upcoming episode of “Game of Thrones”
as well as video of new episodes of shows such as “Ballers”, “Insecure”,
and “Room 104”. And, they say, there’s more to come.
- *Reliance Jio Infocomm Ltd Breach*
- Date: 2017-07-09
- 120,000,000 customer names, phone numbers, email addresses, and SIM
activation dates accessed by hackers using stolen login credentials
- *Electronic Voting Machines Hacked @ DEF CON*
- Participants were able to successfully breach the software of U.S.
voting machines
<http://www.newsweek.com/hackers-breach-usvoting-machines-90-minutes-def-con-competition-643858>
in less than two hours at a competition in Las Vegas.
August
- *MalwareTech Arrested*
- Marcus Hutchins
<http://www.latimes.com/business/technology/la-fi-tn-marcus-hutchins-20170803-story.html>,
Cybersecurity expert hailed for stopping WannaCry attack was quietly
arrested as the British resident prepared to fly out of Las
Vegas, the site
of DEF CON conference.
- The widely celebrated cybersecurity researcher
<https://krebsonsecurity.com/2017/09/who-is-marcus-hutchins/> was
indicted on charges of developing software that has stolen banking
credentials from an untold number of people.
- *Abbott Pacemaker Recalls*
- Medical device maker Abbott announces
<http://www.raps.org/Regulatory-Focus/News/2017/08/30/28370/Abbott-Recalls-465000-Pacemakers-for-Cybersecurity-Patch/>
that it is voluntarily recalling some 465,000 pacemakers to install a
firmware update to patch vulnerabilities in the devices.
- *Unknown Organization Breach*
- Date: 2017-08-29
- 711,000,000 email addresses, passwords, and SMTP credentials
exposed on the Internet due to a misconfigured spambot database
September
- *Bluetooth (Blueborne)*
- New vulnerabilities
<https://www.engadget.com/2017/09/12/blueborne-bluetooth-exploit-ios-android-windows/>
were disclosed in computers and mobile devices that leaves them
susceptible
to attack via Bluetooth.
- The BlueBorne exploit doesn’t require user permission or to even
pairing with devices, and it can simply connect over the air and access
networks or install malware.
- *Kaspersky Banned*
- The US government bans federal agencies from using cybersecurity
software made by Russian company Kaspersky Lab
<https://www.theguardian.com/technology/2017/sep/13/us-government-bans-kaspersky-lab-russian-spying>
over fears that the firm has ties to state-sponsored spying programs
- Best Buy pulls Kaspersky Lab products
<https://www.theverge.com/2017/9/9/16280728/best-buy-pulls-kaspersky-lab-products-russia-cybersecurity>
after concerns over ties to the Russian government.
- *Equifax Breach*
- Equifax has a data breach
<https://www.riskbasedsecurity.com/2017/09/equifd-equifax-breach-response-off-to-a-rough-start/>
that discloses 145,500,000 consumers’ names, dates of birth, Social
Security numbers, addresses, and driver’s license numbers, as well as
209,000 credit or debit card numbers and 182,000 dispute documents
containing unknown personal identifying information. The breach is caused
by hackers exploiting a vulnerability known as Struts Shock in the Apache
Struts framework, which Equifax had neglected to fix.
- *Deloitte Breach*
- While most were paying attention to the Equifax breach, Deloitte
ends up having a substantial breach disclosed as well.
- It was reported
<https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails>
that the hacker compromised the firm’s global email server through an
“administrator’s account” that, in theory, gave them privileged,
unrestricted “access to all areas”.
October
- *WPA2 – Wireless Broken*
- The KRACK (Key Reinstallation Attacks) vulnerability is disclosed
<https://www.krackattacks.com/> which details a flaw in WPA2’s
cryptographic protocols
<https://www.wired.com/story/krack-wi-fi-wpa2-vulnerability/>, which
could be exploited to read and steal data that would otherwise
be protected.
- *Introduction of Hack Back USA Regulation*
- In the US, Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona,
introduce
<https://tomgraves.house.gov/news/documentsingle.aspx?DocumentID=398840>
a revised version of the Active Cyber Defense Certainty Act (an
update of a
bill discussion draft that Graves proposed back in March
<https://tomgraves.house.gov/news/documentsingle.aspx?DocumentID=398726>)
once again proposing the “use of limited defensive measures that
exceed the
boundaries of one’s network in order to monitor, identify and stop
attackers.”
- Many cyber security professionals believe that the idea of legal
hacking back is a horrible idea.
<http://www.slate.com/articles/technology/future_tense/2017/10/hacking_back_the_worst_idea_in_cybersecurity_rises_again.html>
- *Microsoft Internal Security Bugs DB Hacked*
- It becomes public
<https://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0>that,
according to five former employees, Microsoft’s secret internal database
for tracking bugs in its own software was broken into in 2013 by a highly
sophisticated hacking group.
November
- *Root9B RIP*
- IT security may be a hot industry, but just because you say you do
security doesn’t mean you will have a successful company.
- Root9B
<https://krebsonsecurity.com/2017/11/r-i-p-root9b-we-hardly-knew-ya/>
was the company that was listed as #1 Hottest Company by
Cybersecurity Ventures 500 for 6 consecutive quarters
<https://www.root9b.com/newsroom/root9b-remains-1-cybersecurity-500-6th-consecutive-quarter>
until suddenly it wasn’t anymore (On Nov. 13, root9B Holdings issued a
press release
<https://www.prnewswire.com/news-releases/root9b-holdings-announces-discontinuation-of-operations-300555071.html>
saying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing
operations at the end of this year.).
- *Infosec Community Sexual Harassment*
- Report publishe
<https://www.theverge.com/2017/11/19/16675704/morgan-marquis-boire-hacker-sexual-assault>s
that Morgan Marquis-Boire – well known in the security community –
confesses to countless sexual assaults.
- Report publishe
<http://dailycaller.com/2017/11/18/report-legendary-hacker-kicked-out-of-conference-for-alleged-sexual-assault-of-minors/>s
that John Draper – legendary hacker – is kicked out of a conference for
alleged sexual assault of minors.
- *Tio Network Breach*
- “Security vulnerabilities” force PayPal to shut down operations of
the recently purchased
<http://www.tionetworks.com/PYPL_News_2017_11_10_General_Releases.pdf>
subsidiary TIO Networks.
- Within days of announcing the breach, a proposed investor class
action suit was filed, accusing PayPal of hiding the incident and causing
the stock price to drop. PayPal acquired TIO Networks for 238M in a deal
that closed in July of 2017 and chose to shutter the service in early
November – a short 4 months after the acquisition was complete. While the
scope of the event is still unfolding, the failure to fully vet TIO’s
security posture ahead of the deal has the potential to cost PayPal as
much, if not more, than the purchase price already paid.
- *Uber Breach / Bribe*
- Uber announces that 57M customer contact details and another
600,000 drivers’ personal information was exposed in a 2016 breach. The
late disclosure would have been bad enough, but details emerged
that former
employees of the company seemingly paid the perpetrators $100,000 to
keep the incident quiet
<https://arstechnica.com/tech-policy/2017/11/report-uber-paid-hackers-100000-to-keep-2016-data-breach-quiet/>
and delete the stolen data.
- It was later reported that Uber used the HackerOne
<https://arstechnica.com/information-technology/2017/12/uber-used-bug-bounty-program-to-launder-blackmail-payment-to-hacker/>
bug bounty platform to pay this “bounty”.
- *Apple High Sierra Password Vulnerability*
- A major Apple security flaw
<https://www.theverge.com/2017/11/28/16711782/apple-macos-high-sierra-critical-password-security-flaw>
grants admin access on macOS High Sierra without supplying a password.
- *Boeing 757 Hack Disclosed*
- It is announced publicly that in the previous year, DHS was able to
hack a Boeing 757
<http://www.aviationtoday.com/2017/11/08/boeing-757-testing-shows-airplanes-vulnerable-hacking-dhs-says/>via
radio frequency communications without touching the plane.
December
- *FCC Repeals Net Neutrality*
- No one is really clear what this will actually mean
<https://www.nytimes.com/2017/12/14/technology/net-neutrality-repeal-vote.html>
for the Internet at this point, but there could also potentially
be impacts
for information security as well.
- *Kaspersky Banned*
- Trump signs into law
<https://www.reuters.com/article/us-usa-cyber-kaspersky/trump-signs-into-law-u-s-government-ban-on-kaspersky-lab-software-idUSKBN1E62V4>
the banning of Kaspersky products in the government.
- *US Blames North Korea for Wannacry*
- The Trump administration publicly blames North Korea
<https://www.reuters.com/article/us-usa-cyber-northkorea/u-s-blames-north-korea-for-wannacry-cyber-attack-idUSKBN1ED00Q>
for unleashing the WannaCry cyber attack that crippled hospitals, banks,
and other companies across the globe earlier this year.
- Although the attack reportedly only generated about $50,000
<https://www.cnbc.com/2017/05/15/wannacry-ransomware-hackers-have-only-made-50000-worth-of-bitcoin.html>
in ransom for the perpetrators, payments were made in Bitcoin. Since the
attack in May, the value of Bitcoin has increased from
approximately $2,000
USD per coin to $13,000 USD by late December. If the attackers
have held on
to the coin, the value of the payoffs will have increased 5 times over.
- *Wassenaar Arrangement*
- A group of 41 nations gathered
<http://thehill.com/opinion/cybersecurity/365352-serious-progress-made-on-the-wassenaar-arrangement-for-global>
to officially update the language of the Wassenaar Arrangement,
a voluntary
agreement governing certain export controls for classified dual-use
software and technology, otherwise known as “cyberweapons.”
While there are many more worldwide events that can be included in this
list, a lot of the issues detailed above were quite serious, with
substantial impact to organizations and their customers alike. What isn’t
clear is that, of all of the security topics the media focused on in 2017,
why these following events failed to make headlines.
*Power Grid Issues/Attacks Imminent*
- ICS/SCADA software continues to see critical vulnerabilities
disclosed, as we tracked 359 in 2017 in our VulnDB platform
<https://vulndb.cyberriskanalytics.com/vulnerabilities/dashboard>.
- The DHS warned
<http://www.powermag.com/dhs-fbi-identify-tactics-in-cyberattack-campaign-targeting-industrial-control-systems/>
in October 2017 that they were seeing targeted attacks and “Based on
malware analysis and observed [indicators of compromise], DHS has
confidence that this campaign is still ongoing, and threat actors are
actively pursuing their ultimate objectives over a long-term campaign,” DHS
and FBI wrote in a joint technical alert
<https://www.us-cert.gov/ncas/alerts/TA17-293A> in October.
- In May 2017, there were power outage concerns outlined
<https://www.usatoday.com/story/tech/news/2017/05/12/threats-power-outages-special-concern-order-cybersecurity/101593650/>
in the cyber security order.
- The real question at this point is whether or not some of the media
posts are intending to hype and scare readers
<https://www.forbes.com/sites/stevemorgan/2016/02/07/campaign-2016-major-cyber-attack-on-u-s-power-grid-is-likely/>
or actually inform of very real scenarios that need to be addressed.
*Airport / Airline Outages*
- 2017 saw several substantial outages for the airline industry.
- Airports around the world
<http://money.cnn.com/2017/09/28/news/airport-outages-global-airlines/index.html>
suffered major technical problems in September 2017 connected to a
temporary failure of a system for checking in passengers and
luggage. Southwest
said
<http://airport.blog.ajc.com/2017/09/28/southwest-airlines-hit-by-computer-glitch/>
its reservations system provider Amadeus began experiencing outages
starting, “impacting Southwest Airlines along with other airlines.”
- Delta outages in January 2017
<https://www.usatoday.com/story/news/2017/01/30/delta-outage-airline-technology-problems/97250834/>
due to a technology glitch that canceled hundreds of flights were smaller
than other episodes in recent months that cost airlines tens of millions of
dollars, but it still served as a reminder of fragile airline computers
systems.
- The U.S. Government Accountability Office will launch
<http://airport.blog.ajc.com/2017/09/28/federal-watchdog-to-look-into-airline-outages/>
an examination of airline IT outages and their impact on the traveling
public, in the wake of massive technology glitches at Delta Air Lines and
other carriers that have affected millions of travelers.
- In May 2017 British Airways
<http://www.cnn.com/2017/05/27/world/british-airways-computer-failure/index.html>
canceled flights from London’s two biggest airports after “a major IT
system failure” caused severe disruption to flight operations worldwide,
the airline said.
- The issues here seem largely to be related to old IT infrastructure
and applications outages, but it does highlight how aging IT infrastructure
and third party failures can be just as disruptive as a major malicious
attack.
*Sex Robots May Kill*
- It was reported in September 2017
<http://www.foxnews.com/tech/2017/09/11/hackers-could-train-sex-robots-to-kill-cyber-security-expert-warns.html>
that a cyber security buff has issued a bizarre warning that sex robots
could one day rise up and kill their owners if hackers can get inside their
heads.
- Another reported surfaced
<http://www.newsweek.com/hacked-sex-robots-could-murder-people-767386>,
saying that sex robots could be used to murder people.
- There were other reports
<http://www.newsweek.com/hacked-butt-plug-controlled-anywhere-lovense-sex-toy-687719>
of sexual toys hacked as well in 2017.
*Car Wash Attacks*
- At the DEF CON conference in August 2017, vulnerabilities were
disclosed in car washes.
- There were reports
<https://motherboard.vice.com/en_us/article/bjxe33/car-wash-hack-can-smash-vehicle-trap-passengers-douse-them-with-water>
that suggested that a vehicle could be trapped and repeatedly smashed by
the doors as well as doused with water.
- “We believe this to be the first exploit of a connected device that
causes the device to physically attack someone,” researchers presenting the
proof-of-concept say.
The purpose of this post is more than a lament on the state of security.
Rather, let it serve as a reminder to all organizations that there is value
in understanding the underlying factors that caused major security issues
these past 12 months *before* jumping full force into new improvement
initiatives. When looking how data breaches have occurred there are already
some clear common themes that should be factored into any risk-based
approach to security improvement. When we finish our analysis of 2017, we
will publish our Year End DataBreach QuickView that will provide much more
information.
With loads of new technology constantly coming out, we need to be able to
get grips on current assets, work to better secure them, and take time to
fully evaluate the security of any new technology under consideration. At
the same time we need to understand new and expanding challenges such as:
- Internet of Things
- Containers
- Blockchain
- Drones
- Virtual Reality / Augmented Reality
- Self Driving Automobiles
- Artificial Intelligence (AI) and Machine Learning (ML)
While it may be fun to try to make predictions, the truth is that no one
really knows what 2018 will bring, but we at Risk Based Security will
commit to keep tracking and documenting them all, so we can continue to
learn and improve information security efforts!
We hope everyone has a happy new year and that 2018 won’t be a repeat of
2017 when it comes to security issues!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180103/a7dc389c/attachment.html>
More information about the BreachExchange
mailing list