We decided to list here some of the security screw-ups that offer deeper insights into what on earth was really going on in security during 2015. On the surface it was the usual batch of incompetent programming, commercial avarice and a tendency to underestimate the lengths attackers will go to undermine systems as part of small-scale targeted attacks. There was also some bad luck.
But the year brought an important security trend into unpleasantly sharp focus – however big the threat from external attackers it is the inadvertent flaws built into technology or services that represent the most serious security challenge of all. After years of data breaches, it is a profound realisation that however bad an enterprise’s enemies, it is its friends that might do us the most damage.
Security flaws of the year 2016 - Independent newspaper blog serves ransomware
The Independent main website has a reputation as a CPU-heavy monster but in December 2015 its WordPress-powered blog site was found by Trend Micro to be serving something much worse in the form of TeslaCrypt ransomware. Not for the first time, the culprit was an Adobe Flash vulnerability being exploited by the Angler Exploit kit to unpatched users, especially those running IE.
The most disturbing aspect of this story is that nobody from The Independent noticed an attacks that had been on the site since at least 21 November 2015 before being pointed out to them weeks later by Trend. Their excuse was that the site was ‘legacy’ and rarely visited which might explain why it was running WordPress 2.9.2 a long out-of-date version from 2010. If so, why on earth was it running at all?
Security flaws of the year 2016 - Juniper VPN ‘back door’
Rumours of back doors in networking equipment have been kicked around for some time and were mostly ignored as technical paranoia but the huge weakness uncovered in the VPN part of Juniper’s NetScreen firewall kit before Christmas 2015 suggest that the worries have substance.
The primary weakness is in a piece of encryption furniture called Dual_EC_DRBG random number generator which contained a software flaw that allowed the insertion of a back door, present since at least 2012. Who created the back door– a way of eavesdropping on supposedly secure encrypted VPNs used by large enterprises – is still a mystery but on the basis of documents leaked by Edward Snowden the original RNG weakness appears to have been something the NSA was aware of. It remains possible that a foreign power noticed the flaw and planted the back door; either way, the NSA looks culpable for what is in effect a double pwn.
Security flaws of the year 2016 - Equation Group hacks HDD firmware
In February 2015 NSA scourge Kaspersky Lab revealed news of two surveillance modules used by the agency’s Equation Group’ in the aftermath of Stuxnet that appeared to be designed to infect the firmware of numerous hard drive models, something that would be almost impossible to remove let alone detect. This was probably a small-scale attack used on very specific targets but as a proof-of-concept attack it was pretty chilling. If PCs have been subverted at the level of manufacturer firmware, other security measures become, frankly, academic.
Security flaws of the year 2016 - anti-virus products that make things worse
Although dented in recent times by advanced malware, the multi-billion anti-virus industry still sells itself the general contention that it offers a defence against most software-based attacks. It’s better to have it than not. In March 2015, Israeli security firm enSilo discovered a software flaw in AVG’s anti-virus products (patched in two days), which gave a way for an attacker to use the AV as a way to defeat Windows’ built-in exploit protections such as Address Space Layout Randomization (ASLR).
Vulnerable products eventually included specific builds of McAfee Virus scan Enterprise version, Kaspersky Total Security 2015, and unpatched AVG Internet Security 2015. A vulnerability checker is now available.
The user is now the product. AVG went public in 2012, presumably a coincidence.
Security flaws of the year 2016 - meet MacKeeper
It’s not just PC users either. MacKeeper is a controversial program aggressively marketed offered to Apple Mac users as a security and utility suite by a German company with alleged connections to a defunct Ukrainian company called ZeoBit accused of scareware tactics. It’s fair to say it does not enjoy a positive image among some Mac users but that hasn’t stopped it acquiring at least 13 million users since its release in 2010. Then, in December, a security researcher used the Shodan search engine to fine an exposed database that allowed him to download the personal details of this user base, which in the wrong hands would have been a pretty calamitous data breach.
The company claims that only the researcher accessed the 21GB of vulnerable data, which is small comfort.
Security flaws of the year 2016 - Lenovo’s Superfish
PC vendors are hurting. Margins are thin, people are buying fewer of their Windows devices. One way to make some money is to include software on new PCs that users subscribe to (giving the maker a cut) or even in the case of number one vendor Lenovo, to serve lucrative ads through a program called ‘Superfish’.
The Superfish debacle serves as an example of how money-making add-ons can go horribly wrong. The adware installed on some computers was bad enough but Superfish also broke HTTPS security, interfering with encrypted connections in order to serve ads. The self-signed certificate was also the same on every machine, a dangerous come-on for attackers looking to carry out man-in-the-middle attacks. This was no accidental flaw, an oversight if you will. Superfish was designed this way.
Security flaws of the year 2016 - Dell’s eDellRoot certificate
You’d think Supetfish had warned other PC makers over the state of software they ship with their product but apparently not in Dell’s case. First, a remote support tool was found to contain a self-signed root certificate and private key that offered a way for attackers to break the HTTPS security of any website. A second piece of software, Dell System Detect (DSD), was found to be trying the same trick. Unlike Lenovo, which was accused of taking weeks to acknowledge the issue, Dell reacted within days.
Security flaws of the year 2016 - TalkTalk, not once but thrice
TalkTalk’s management will be relieved to see the back of 2015 and not without reason as it suffered the third in a sequence of data breach incidents that left it looking pretty foolish. The cyberattack on its website in late October 2015 on an unknown portion of its four million customer base left the company reeling and its CEO Dido Harding looking and sounding uncomfortable under questioning. At least she had the guts to put herself out there. UK CEOs in the same potion have a tendency to hide, as if a major data breach is simple a temporary technical problem.
By November, with third-party help, the company reported that the number of compromised accounts was ‘only’ 159,959, of which 15, 656 had their bank account details compromised. Three people were subsequently arrested in connection with the attack although the extent of their involvement, if any, will only become clear in any trial.
“We are understandably the punch-ball for everybody wanting to make a point at the moment. Nobody is perfect. God knows, we’ve just demonstrated that our website security wasn’t perfect – I’m not going to pretend it is – but we take it incredibly seriously,” Harding told The Guardian newspaper.
Security flaws of the year 2016 - Google Android flaws
Android is a fascinating mobile platform, driven forward by Google so rapidly that it has turned into a fragmented mess. Even among current smartphones and tablets, several versions are common from 4.4 to 6.0, which inevitably leads to security problems. No wonder the company is trying to set an example with its Nexus devices, which are now patched directly on a regular cycle, a sign of how seriously Google now takes security. Handsets from third parties though mobile networks, might not be so lucky.
Just as well because after the company rolled out is flaw bounty in the summer of 2015, several major flaws were made public. The biggest of these was Stagefright but let’s not forget to mention Certifi-gate and, later in the year, something dubbed Stagefright 2.0, and even a way of beating Android 5.0 lockscreen security using a large password string.