Acumin’s Cyber/IT/Information Security Year in Review – 2015: Q1

In Information Security ByRyan Farmer / 8th January 2016

If 2014 was the year cyber security broke in to the mainstream, then 2015 has been a classic case of the ‘difficult second album’. The sad fact is for all that’s been achieved, we still live in a world where people unwittingly but very willingly broadcast their date of birth, and mother’s maiden/first pet/childhood street names (basically anything a security question might entail) to public posts on social media in order to ascertain their Hobbit or band alias. Or there are all those incredibly cheap Ray Bann offers that Facebook friends seem unable to resist sharing. So while it is true that there have been gains made in the awareness of the general population, there have been as many faux pas and misunderstandings from CEOs, the press (not every breach is a ‘hack’!), and even our own cryptophobic government.

That Theresa May et al, even consider an encryptionless or backdoor-laden digital world a possibility, demonstrates just how far removed policymakers are from the realities of technology. Views within parliament are almost as archaic as the laws underpinning the digital economy, and recent directives from the EU, Commons, and Home Office remain as out of touch. Ultimately the fear for our industry is that similar belief systems exist within boardrooms up and down the country, as we strive to provide a definition for what is ‘secure’, above and beyond the relative reassurance afforded by check box exercises.

Last year in the world of security, we were concerned about whether The Interview should or shouldn’t have been released (reviews suggest the latter), the merit of branding vulnerabilities, why multiple security alerts shouldn’t go ignored, the availability of our questionable iCloud selfies, and how enthusiastically large American retailers were sharing customer credit card details with cybercriminals.

This year we’ve seen as many, if not more, breaches and compromises albeit of a very different nature. Join us as we recap over the various ransomware, face-palm inducing moments of naivety, the rise and rise of hacktivism, state-sponsored espionage effectively amounting to a state of cyber cold war, and numerous reminders as to why you probably shouldn’t trust 3rd party suppliers.

 

January – Literally the month that started it all

There is always a mentality that you should start the year the way you mean to go on, and this is perhaps the main reason we all set ourselves the impossible standards of a New Year’s resolution. While the industry may have started 2015 with the best laid plans of mice and men, old habits soon reappeared.

It didn’t take long for the cryptocurrency bubble to burst, as the popular UK-based Bitstamp became the first of many bitcoin exchanges to find its coiffeurs plundered. It may not have been the biggest of such incidents, but it was a stark reminder of the dangers of using a currency that values privacy first and foremost.

Meanwhile, adult video site xHamster carried over the real world risks of promiscuity to the digital realm, as users found themselves hit by a number of malvertising attacks. This wasn’t to be the last time that such sites (including this specific one) would leave viewers with ‘unexpected’ extras, and reinforced the principles of patching plugins in a timely fashion.

At the start of the year, the Twittersphere was alight with tributes to those who tragically lost their lives in the Charlie Hebdo attacks. The social network of 140 characters or less has always been seen to have somewhat of a soft underbelly, and there was an air of inevitably about the moment Le Monde fell foul of Jihadi sympathisers, and broadcast simply, “Je ne suis pas Charlie.”

Not to be outdone, pop songstress Taylor Swift found herself similarly a victim of poor online password security, perhaps wishing she had taken a page out of her ‘own’ book (www.twitter.com/SwiftOnSecurity), when she temporarily lost control of both her Twitter and Instagram accounts. Thankfully two-factor authentication has subsequently been rolled out, but there are questions about user inertia and what I suspect will be a general lack of uptake on this extra measure.

The media did their part too to set the tone, as the New York Post temporarily lost access to its Twitter account and falsely reported the outbreak of hostilities between China and the US. Despite the shock nature of these claims, anyone familiar with our industry will know this is a battle that has long been fought online.

As if the Le Monde incident wasn’t enough to emphasise the fact that actions in the real world now spill over into online domains, we found what effectively surmounted to cyberwar breaking out around the Crimea conflict between Eastern European hacking powerhouses, Russia and Ukraine.

On the subject of concerning precedents, dating site Topface opted to pay a hacker’s ransom demands after being breached, rebuying its own database of some 20m records.

 

February – Rise of the saboteur

Perhaps the biggest controversy and threat to privacy to emerge in February, was the discovery that Lenovo had been shipping hardware laden with its Superfish software… let’s just agree to call it malware. This was basically an SSL-in-the-middle attack, built to deliver its own targeted ads behind secure connections, and was always going to be a worrying backdoor. At least now we know how they manage to keep their device margins so lean. At the time Dell looked on with barely contained glee and a glint in its eye as it advocated its own championing of privacy values. Fast forward to November 24th of this year and the discovery of the existence and vulnerability of the similarly functioning eDellCert, has left them looking a little egg-faced.

Lizard Squad renewed their disruption of both gaming Xbox Live and PlayStation Network having of course already ruined Christmas day 2014 by forcing all the boys and girls to spend time with their actual families rather than preferred raiding squad partners. The irony of this attack is that it achieved little – anyone who has tried to update a current gen console and install discs, particularly during busy periods, knows this wouldn’t have been done until New Year anyway! It is worth noting that in our time of need, we didn’t get the hero we needed, but the one we deserved… champion of privacy and famed pirate Kim Dotcom, made a princely offering of premium MEGA accounts to discourage further DDoS attacks come Boxing Day. Surprisingly it worked.

No one likes a prequel, just ask George Lucas (I still maintain Revenge of the Sith was a good film), but that’s exactly what we got this month. 2015’s most talked about telco, TalkTalk fell foul of a reasonably significant data loss, and what would turn out to be a warning shot for far worse things to come. Still, the important thing when you suffer a breach is not to point the finger of blame, but to learn from the lesson…

Another victim of repeated incidents this year was Britain’s favourite scantily-clad chef. Taking a break from crusading against the favourite foods of the nation’s children, Jamie Oliver’s WordPress-based website started serving up malware to unsuspecting home chefs instead of its usual assortment of recipes for ‘pukka grub’.

There was some debate about the extent of the impact made on financial institutions by Russian cybercriminals as part of the Carbanak campaign (or Anunak, depending on whose version of accounts you opt for), but what isn’t contested is the complexity of the APT and methods used. According to Kaspersky’s claims, the group made away with some $500m-$1bn in misappropriated funds. One such method put forward included mules visiting ATMs at preordained times, just as the machines were made to make it rain Rubles.

And of course the biggest event of February, in terms of sheer quantity alone, was the Anthem breach. Apparently brought about by ne’er-do-wells from China focused on gaining corporate data, some 80 million medical records were lost. Unencrypted. In a HIPAA regulated environment. The attack went on for weeks, and even once it had stopped it was a further month until anyone noticed something was awry.

 

March – A month of mimicry & sequels

Before the dust had even settled on the previous incident, Jamie Oliver was again making use of his website to evangelise for the security industry at the start of Spring. Is there no just cause this man won’t champion!?

We were dealt yet another reminder, if ever one was needed, that you are only as secure as your weakest supplier. Sacred Heart Health Systems followed competitor Anthem in to the headlines, as an employee at a third party provider had their email compromised. Subsequently billing information for 14,000 customers was stolen; you would suspect the renewal discounts offered were substantial.

On the subject of rival businesses falling over themselves to see who can leak the most, cryptocurrency exchanges Cryptoine and AllCrypt had the entirety of their coiffeurs cleared out and simply shut down in response. The inherent nature of the Bitcoin and similar cryptocurrencies means the funds will never be recovered.

Competitive advantage is key in any sector, and this is no less true in the closely contested world of online pornography. Keeping pace then with rival websites, Xtube also started spewing out malware at unassuming users. The case for installing Adblock continues to grow then as display advertisers focus on profitability over responsibility.

Those with more earnest intentions online seized the moment to compromise weak security practices and try and spread word of the cause. Anonymous took down the City of Madison government and emergency services’ online presence temporarily in response to officer-on-citizen shootings. Air France lost control of their mutual site to Algerian activists in retaliation for the massacres of 1945; and on shores even closer to home, our very own British Airways found their frequent flier scheme hit. The Chinese ‘fired’ their Great Cannon from beyond the confines of the Great Firewall against GitHub. The system was used to hijack legitimate internet traffic via Baidu and unleash DDoS attacks on anti-censorship tools – the irony of this was apparently lost on Beijing. Inevitably the media got themselves terribly excited talking about cyber arsenals, virtual battlefields, digital warriors, and the such; meanwhile the industry let out a collective groan.

At an industry-wide level we saw very focused and persistent attacks against oil and gas companies globally. Due to the nature of the exploit (grab data, leave backdoors) and the targets hit by the Trojan.Loziak (namely companies in the Middle East, UK, and US), there are some very legitimate reasons to suspect industrial espionage as a motivator.

It wasn’t all doom and gloom though. Gaming streaming service Twitch, despite its relative infancy, seemed to buck the trend and disclose well in response to a breach… initially anyway. Upon discovering potentially unauthorised access, they disconnected social media accounts, reset passwords, notified users in a timely fashion, and implemented strong password practices. The latter of this was to become a point of contention with the public though, which turned its nose up at the requirements for the entropy-based system, while security commentators were disappointed to see Twitch drop this for simpler complexity requirements in response to the public backlash. So close.