January 21, 2015

An outlandish Top 10 of cybersecurity events in 2014

Business

“Threat landscape” is a common phrase used in cybersecurity. It governs whether companies choose to buy new hardware or to spend money protecting existing infrastructure. Dependence is direct: If your trains get derailed all the time, buying new locomotives isn’t a solution.

There are various ways to assess this landscape on a scale of “amiable” to “gloomy “. Here are a few assessments from our experts: 2014 summary, predictions for 2015 and, for the number lovers, the figures. But what do companies think? We poll them regularly (see here for details), but this year we decided to use a non-conventional method as well. 

Our Threatpost site follows all the meaningful news regarding IT security. We decided to pick the top 10 events of the past year by a single criterion: the popularity of the corresponding articles. The results were interesting. There was no politics (no Snowden, no NSA) and few topics of strategic nature. The problems that stand out are those that have to be considered when assessing the threat landscape right now.

640

10. TrueCrypt: the first (relatively) verified distribution after the epic fail in May

The Story. Drama in detail.

“Guys, here’s the thing. TrueCrypt’s insecure, but we’re not gonna tell you why. Use the standard encryption in Windows. And we’re off. See ya”.

That’s the loosely interpreted meaning of the message from developers of a popular TrueCrypt encryption system (it’s still available here, by the way). When you choose your protection – paid or free, encryption or antivirus – you assess the convenience, functionality, and effectiveness of the approach to security. But first you must trust it since auditing the code – even if it is freely available – is a bit too costly.

In the case of TrueCrypt, we had an efficient, easy and free encryption tool, developed by an anonymous group of authors. It’s still unclear what the hell happened. Either there was a bug that couldn’t be fixed, or authorities “recommended” to desist, or they just got tired of coding. More than half a year has passed, and we’re not apparently going to learn the truth in full.

The only hope here is a collective initiative Open Crypto Audit Project, which aims to audit TrueCrypt’s code – and not just that. By the end of June, a verified distribution of TrueCrypt v.7.1a appeared on Guthub. Does it mean that all bugs have been discovered and everything’s alright now? Nope, far from it. For now, they have only learnt that sources and builds of this version are indeed sources and builds of this particular version. The 7.1a code was analyzed in the first part of the audit (results were revealed in April). Now we’re waiting for the next part. Progress can be followed here.

9. DDoS against UltraDNS

The story

April 100Gbps DDoS attack on UltraDNS using DNS amplification rendered quite a few clients inaccessible for hours. There was nothing particularly special in comparison to other DDoS attacks that reached up to 400Gbps (these used NTP protocol flaws). The problem is that such attacks became commonplace. Unlike the most complex, usually narrowly targeted threats (check out our report on Regin campaign that has only 27 victims), DDoS is a universal problem. At least 18% of companies worldwide have been hit with DDoS, according to our data. And if spam (which is the number one problem) harms only indirectly, website inaccessibility has a real impact: It means missed sales and reputation losses. The primary trend of this year is amplified DDoS attacks, using the flaws in fundamental network protocols, along with a combination of DDoS and targeted attacks in a manner like “stun and steal the wallet”. We’ll get back to this topic a bit later.

Here’s a detailed description of a DDoS Trojan for Linux.

darkhotel

Dark Hotel APT – a non-conventional way to steal data from traveling employees

8. Passcode bypass in iOS 7.1.1

The Story

The April iOS update to version 7.1.1 as well as a Mac OS X patch actually fixed a serious flaw in Apple’s implementation of SSL protocol (not this one, though). As it often happens, new bugs arrived, one of which made it possible to partially circumvent locks on Apple iPhone 5/5s and get access to the address book.

As we all know, any Apple-related news is a potent traffic generator, so the flaws in Apple’s devices couldn’t help making their way into our top list. As with UltraDNS it is not the flaw itself that’s notable, but the industry’s attention to mobile devices. Companies increasingly see them as a threat, although they understand that prohibiting smartphones in the workplace isn’t going to work.

According to our data, 22% of companies faced security issues related to loss or theft of mobile devices. Thus, any circumvention of security measures is indeed a problem – especially if the corporate smartphones weren’t protected well enough, or if the protection systems were out of commission. Besides the passcode circumvention there was yet another problem in the same version of iOS: e-mail encryption did not cover the attachments. Access to the phone’s file system provided access to the attachments, too.

epicturla

Epic Turla — a research of complex connections between different APTs.

7. The Internet is broken, act accordingly

The Story

If someone asked me to use non-verbal means to express the situation with security on the Web, using two music videos, I’d do it the following way (you’re welcome to offer your variants in the comments, let’s talk about music associations!).

The ideal situation:

The reality:

The situation with Web security has been well expressed by Costin Raiu, our experts team leader: the Internet is broken. It’s not paranoia, FUD, or advertising. That’s the way things are now. Anywhere you look there are vast and barely fixable problems: with critical protocols, with encryption, with email, with Web, etc.

What do we do? Getting back to typewriters is not going to help. We need to take this into consideration and build our defense strategy accordingly.

6. Tor malicious node

The Story

One more curious story about the trust put into protection systems, this time to make tools anonymous. In late October, security researcher Josh Pitts discovered an outgoing node in Tor, which added on the fly a malicious code to any executable file downloaded by a user. Located in Russia, this node had been promptly blocked off by Tor administration. The only way to protect yourself from such attacks is clear: trust no one. Or, to be more specific: an extra encryption layer will always come in handy. HTTPs traffic isn’t susceptible to this hack, of course.

maskcareto

A crossplatform (Windows, Max OS X, Linux, iOS) espionage campaign The Mask/Careto.

5. DDoS + Targeted attack. Code Spaces dissolution

The story

When the Target Corporation lost data on some 70 million clients to a malware, it was less than pleasant, but the shops stayed where they were. If your business is 100% online, a targeted attack may ruin it in no time. That’s what happened in June 2014 to Code Spaces, the vendor of a code-hosting and software collaboration platform.

The hacking of a control panel at Amazon EC2 followed the initial DDoS attack on the company’s server. Then the Code Spaces’ developers got blackmailed. All attempts to recover data were futile: the attacker regained control and deleted nearly everything. In 12 hours the company was down: there was no way to recover data, compensate the losses and, above all, restore their reputation.

The older version of Code Spaces’ site specifically emphasized the reliability of data backup: “Backing up data is one thing, but it is meaningless without a recovery plan, not only a recovery plan – but one that is well-practiced and proven to work time and time again”. Well said!

4. POOOOOOODLE

The story

Another fashionable trend in IT security this year: giving non-conventional names not just to malware, but to bugs and attack scenarios as well. POODLE stands for Padding Oracle On Downgraded Legacy Encryption. The subject-matter of the attack: to force the client and server – while establishing the secure connection – to downgrade from a secure TLS protocol to an insecure and obsolete one – SSL 3.0, which will be 18-years-old this year. In some conditions there is the possibility of intercepting the secure traffic and stealing cookies with consequent interception of the entire session. The required conditions are so specific that there were no real cases of exploitation detected so far. Still, all main browser vendors released a patch disabling SSLv3, which fixes the problem. Of all the unpleasant news of 2014, this one looks the most positive: the flaw is detected, the flaw is promptly fixed. Well, almost.

3. Shellshock

The story. Background. Development. FAQ

$ env ‘x=() { :;}; echo vulnerable’ ‘BASH_FUNC_x()=() { :;}; echo vulnerable’ bash -c “echo test”

One more victim of creative naming (Shellshock sounds much more interesting than CVE-2014-6271), this time: an extremely serious bug in Bash – the command-line shell for Unix-based operating systems. The second case – after the OpenSSL bug – when the question “what systems are subject to it” is answered with “all of them!” Shellshock is exploited actively, the vulnerable systems search is very much scalable, and the admins of the affected servers have yet another chance to play the game of “how to fix everything without breaking everything to shambles”.

In the wake of Heartbleed and Shellshock, we have received a lot of feedback from our clients, and we need to emphasize specifically how many issues small business experiences in this regard. A large company may assign considerable resources to search for the vulnerable nodes and fix them, while the smaller companies have either one IT specialist responsible for everything, or there’s no “admin” in the company altogether. So the typical question small business owners ask is “how much of a threat is Bashbug/Heartbleed/whatever to my business?”

Not a trivial question. Is the in-office mail server, that was configured long ago and is “working okay”, affected? How about the file server? Or what about the rented cloud infrastructure? A network router? What else? And what if the vendor’s patch doesn’t fix the flaw? The Bash vulnerability brought a lot of headaches to critical infrastructure operators, which aren’t easily updateable, yet on the other side there are thousands of smaller entities that all of sudden had to find their way through the unfriendly, confusing, and plain dangerous IT environment.

2. Heartbleed

The story. Background. Implications

Can’t describe the bug better than XKCD has done:

Untitled

There were many debates: What is tougher – Heartbleed or Shellshock? On one side, Bash vulnerabilities allow for executing an arbitrary code, while OpenSSL bug only allows access to the data. On the other hand, Heartbleed’s story drew much more interest – probably due to the total uncertainty at the time of publication. Who is affected? Who was attacked? Has the data been stolen, and if so, what kind? Who are the victims – Yahoo mail or online banking? Okay, we’ve patched our servers, but have our contractors done so? Partners? Can we trust them with our data?

Have I said before that the Web is broken?

1. Hiding a malicious code in PNG metadata

The news. Reddit thread.

Er-r-r-rr, what?

Well, that’s an interesting method of attack. Upload an innocent PNG picture, pull out its metadata, find the bad code within. As a result, the visitor to an infected website is fed with an invisible iframe redirecting to another site, which is doing the attack. Just another method of obfuscating the malicious code doesn’t make it a sensation yet it is the most visited Threatpost.com article in 2014. 

How’s that? Probably, thanks to the Reddit thread linked above. And, more importantly, the peculiar interpretation of the initial news piece – sort of like this: “A zero day in PNG!!11 OMG!” The possibility of getting hacked simply by downloading a picture is scary. Fortunately, this time they failed to completely break down the already broken Internet.

So the most popular story of the year proved to be not about technology, but about perception. What happened to this news can be compared to the Sony Pictures Entertainment hack, which is discussed in cinema magazines while stripping away all of the technical details, but still provoking thinking on security in general. Cyberattacks are so common now that just another one won’t draw much attention: vision has blurred and focus has shifted. Only the most apocalyptic news such as the Sony Hack, Shellshock, and “infect the world with a single png pic” feel interesting. There were many of them in 2014, and this is bad. But, hopefully more companies will review their approach to security because of them. Which is good news.