The unconventional list of top security events in 2015

Konstantin Goncharov recaps the most significant security events of 2015.

There were many security stories in 2015. Narrowing down the list to 10 is quite a daunting task. However in order to stay neutral I decided to chose 10 most popular stories on Threatpost. Surely anyone in the IT or security space will have their own top 10, but I tried my best to be unbiased – it’s not me who chose the stories but the readers. Still if you disagree or feel that I have missed a story or two, please drop a note in the comments below. So now without further adieu, here is the list of Top 10 security stories in 2015.

This year’s list will be broken into five key categories:

  • Low-profile end-user threats;
  • ‘Least expected’ vulnerabilities: IoT, home appliances and industrial networking applicances security;
  • Encryption issues;
  • Well-publicized vulnerabilities in major platforms and high-end cyberthreats, and examples of most advanced attacks;
  • Routine yet dangerous bugs in commodity software.

Let’s get started!

End-user threats

#10 A Trojan in Facebook, spotted back in January (story). Over 110,000 Facebook users infected their devices with this Trojan by clicking on a malicious link on the social network! No way!

The unconventional list of top security events in 2015

Unfortunately for the majority of users on the Internet, they are often collateral damage when it comes to the cyberwar between cybercriminals and the good guys. For example, a Trojan masking as an Adobe Flash update and installing a keylogger on the victim’s machine. We constantly track these types of incidents, but they rarely get shortlisted for any kind of rating, as security experts are typically not overly excited about them.

However, these ‘traditional’ security threats will continue to remain the a major pain, for both consumers and corporate users. The counter measures are pretty straightforward and obvious, the security and protection methods have long caught up with such cyberattacks. At the same time, the attacks like the one with the Facebook Trojan in January still affect tens of thousands of users, so it’s worth an effort to increase public awareness of protection methods and techniques. There’s clearly room for improvement across the board.

Attacks on IoT, home routers and industrial networking appliances

What do garage door remote controllers and Cisco’s networking software have in common? Well, they have equally loose protection.
While users and vendors see protection as vital for traditional computers and devices, they pay less attention to their connected “smart” devices. You see, what is often overlooked with the Internet of Things is that these devices are powerful computers that left unsecured, and that can lead to breaches or worse.

When it comes to the attacks on these types of devices, there were a few stories that stood out on Threatpost. #9 Back in 2014 Check Point’s security researchers discovered a vulnerability which affected 12 million home routers (Story ).A specially crafted packet was used to expose the router’s web interface. #8 Later in June 2015, hard-coded default SSH keys were found in Cisco’s security appliances (Story). It was just one of the many cases when such bugs were found in network appliances and software.

#7 Around the same time, renowned security researcher Samy Kamkar, discovered that remote garage door controllers, quite popular in the US, also suffer from weak security (Story). It takes 30 minutes of bruteforce to crack the keys, but a series of software bugs allowed Kamkar to cut this time down to 10 seconds.

Lest we forget serious vulnerabilities in automotive systems. This summer, following a groundbreaking research by Charlie Miller and Chris Valasek, Fiat Chrysler issued the first ever security patch for a car: The vulnerability could be used to remotely hack the vehicle management system via the multimedia dashboard, ultimately opening an opportunity to even hijack the steering system. Seriously, if there are bugs in software and computing appliances, why shouldn’t there be bugs in the car itself? Can’t help but recite a famous but now deleted Tweet:

The unconventional list of top security events in 2015

When computers are entrusted with a task, they tend to make less mistakes and bloopers that humans. But it is people who program them, and computing systems are becoming increasingly essential to perform mission-critical tasks, from managing nuclear power plants to controlling city traffic. Welcome to the brave new world!

Encryption

Well, that’s getting complex. Only a serious scientific researcher can help to assess efficiency of any encryption method. There’s a good example to prove this point: SHA-1, a popular hashing algorithm, was considered perfectly reliable some five years ago, but in 2015 it was rendered ‘theoretically vulnerable.’
The NSA has already questioned the resilience of elliptic curve encryption algorithms and is considering (or pretending to consider) encryption techniques, which would be uncrackable even for quantum computers.

 

#6 But that’s not the only problem with encryption. Weak encryption posed a serious threat to Open Smart Grid protocol (Story). OSGP is an IoT deployment of the electrical grid, an attempt to unite all meters and management systems into a single network. That means, potential security issues would compromise the electric supply. The network complexity is the reason why the key criterium to assess encryption resilience is trust.
In 2014 TrueCrypt developers decided to shut down their project, a rather popular utility used for the on-the-fly encryption. #4Following the sequence of events, we have witnessed several independent source code audits and the emergence of inherently curious spin-offs: VeraCrypt and CipherShed (Story). Recently a backdoor in Juniper routers was discovered, and the encryption issue was also of paramount importance in that incident.

Serious vulnerabilities & serious attacks

#5 While last year’s superstars among the vulnerabilities were, without doubt, Shellshock and Heartbleed, this year the Stagefright vulnerability (Story) in Android and #3the bug in a standard GLIBC library function in Linux (Story) took center stage.

The unconventional list of top security events in 2015

Linux bug hunter. An artistic interpretation

Each known vulnerability could be found through either ‘theoretical’ or ‘practical’ discovery. In some cases, researchers provided a proof-of-concept attack first, but at times a new bug is found only after attacks happened in-the-wild.

As far as practical attacks are concerned, two of the major campaigns discovered by Kaspersky Lab were Carbanak and The Equation. While the first impressive in terms of sustained loss ($1B, in case you were wondering), the latter is stunning because of its advanced and sophisticated toolset, including the means of restoring control over the victim’s PC by using a modified HDD firmware, as well as the duration of the campaign, measured in decades.

Routine vulnerabilities in commodity software

Adobe Flash, serves as a perfect example for this category: 14, 24 and 28January, March, June, July, September, December. The bad news is Adobe Flash is still an unbelievably vulnerable piece of software. Good news is patches (at least those of Adobe’s) are issued en masse, and a handful of bugs are fixed in one update. It does not mean the software became more secure, yet the overall trend over the year is positive: developers have started to take security very seriously.

The software is installed on a large number of systems including Web browsers and gets a lot of attention. Browser developers are forced to both supervise their own software and protect users from threats on websites (at times their only option is to restrict certain capabilities, which happened to Flash in Chrome). #2 The participants of pwn2own hackathon in March managed to hack all the major browsers: first Firefox and IE, and then Chrome and Safari (Story).

The unconventional list of top security events in 2015

White hats after a successful hack at pwn2own

#1 Obsolete NPAPI extension blocked in Chrome (Story). NPAPI blocking, which happened in April, resulted in malfuntion of a number of plugins, from Java to Silverlight, causing many problems on the developers’ side. Phasing out legacy codes has become a key trend recently.

I doubt security issues will be less prominent in 2016. I’m sure the new methods to battle cyberthreats will eventually emerge. So we’ll definitely have lots to talk about next year. As for background reading, I recommend to check out the 2015 recap of threats by Kasperky Lab’s experts, a dedicated analysis of cyberthreats for businesses and 2016 predictions.

Tips