Top Security Incidents of 2011
I’m sure everyone will agree that 2011 was a busy year in the field of data security! So as the year draws to a close (and hopefully slows down a bit for the holidays), it seems like the appropriate time to reflect on its events and begin the process of distilling our experiences into “lessons learned” that we can take with us into 2012.
Of course, there isn’t room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.
“Tehran Bob”
In March we learned that the Comodo CA had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.
In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google’s Chrome browser was giving warnings about the certificate appearing on Google’s own web sites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers’ list of trusted roots for weak security.
What we learned:
- The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we’ve never heard of before.
- Current certificate revocation systems are simply not effective.
- CA “pinning” can provide improved security, but currently only browser vendors have access to it.
- One person can make a difference.
Sony
After retroactively banning Linux from their customers’ previously-purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony’s online systems (and then some) seemed to come under attack.
It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems. In unrelated attacks, account information was breached from several of Sony’s online systems including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down their PSN entirely for several weeks until it could be brought back online in a secure manner.
Estimates for the total cost of the attacks range from $170 million into the billions.
What we learned:
- Systems may run just fine, vulnerable, for long periods of time.
- The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is “worth.”
LulzSec
There was an old saying that English had no word which was a direct counterpart to the German word Schadenfreude, meaning “enjoyment which comes from the misfortune of others.” So perhaps it was inevitable that we would need such a word handy in describing the events of 2011. Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.
In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different. Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group’s preferred modus operandi was penetrate systems and leak the largest amount of the most damaging information possible. To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.
What we learned:
- Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be “in it for the lulz,” or something else entirely.
RSA
RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name) and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.
In March, the company disclosed that it had been the target of a successful cyber attack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at US defense contractors, but there is little to suggest that the abuse is more widespread.
Many customers were disappointed in RSA’s reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID “key seed” data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)
What we learned:
- We are dependent on our vendors.
- Even the most well-regarded technology companies can be “pwned” by an Adobe Flash 0-day.
- Continuous monitoring is essential.
- An attacker may seek to use you as merely a stepping stone in a larger plan.
Of course there were plenty of other noteworthy incidents from 2011 that there simply isn’t space here to discuss: the (former) Tunisian government’s man-in-the-middle attack on Facebook’s login authentication, the breach of Syria’s BlueCoat logs, kernel.org, and so on.
Perhaps 2012 will bring us less interesting times!
- Marsh
Recent Analyst Insight Report Builds a Case for Out-of-Band Phone-Based Authentication
 | The Aberdeen Group recently released an Analyst Insight report, The Case for Phone-based Authentication: Jumping on the Out-of-Band Wagon, which creates a business context for why many businesses are re-evaluating their current authentication strategies. The report notes that business drivers, such as increased compliance guidelines, many highly publicized security breaches – particularly those in the security space such as RSA and DigiNotar, and the growing mobility of today’s workforce, are generating increased interest in out-of-band, phone-based authentication. |
“Arguably the most personal and indispensable of all mobile devices, the mobile phone is carried by virtually all demographic groups and represents the ‘new normal’ way of life for a mobile and wireless population,” notes Derek Brink, Vice President & Research Fellow, IT Security for Aberdeen and author of the Analyst Insight report.
According to the report, "For organizations looking to augment their existing username and password implementations with two-factor authentication, out-of-band solutions integrate easily with existing application and identity infrastructure, and provide the convenience of leveraging the mobile phones that most enterprise end-users already carry and use."
Click here to download the Aberdeen Analyst Insight report.
~Sarah
The PhoneFactor App vs Soft Token Apps
Most mobile authentication apps are just hardware tokens in disguise, displaying a one-time passcode that the user keys in during login. The PhoneFactor App takes a different approach.
PhoneFactor pushes a notification to the user’s smartphone or tablet. Instantly, an alert pops up on the user’s device. The user simply taps “Authenticate” (or enters a PIN and taps “Authenticate”) in the PhoneFactor App to verify account logins and transactions.
The PhoneFactor App offers a number of benefits over one-time passcode apps, including:
- Out-of-Band Authentication – By leveraging a separate device – the phone – PhoneFactor protects against malware running on the user’s computer. Passcodes from mobile apps, which are entered into the user’s computer, are not out-of-band and as such are vulnerable to attack.
- Real-Time Fraud Alerts – If an attacker tries to log in with stolen credentials or transfer funds from an account, the legitimate user receives a notification and can report fraud instantly from the PhoneFactor App.
- Transaction Verification – In accordance with the 2012 FFIEC Authentication Guidance, the app can be used to verify transaction details by displaying them in the PhoneFactor App.
- Ease of Use - With no one-time passcodes to enter, authenticating with the PhoneFactor App is quicker and easier. It works instantly with any enterprise or web application, including those running on the user’s phone.
- One App, Countless Uses – The PhoneFactor App can be enabled for multiple accounts. For example, a controller may use the PhoneFactor App to verify online banking transactions while also using it to authenticate to the company VPN.
For more information:
Watch The Video
Try The Online Demo
~Sarah
PhoneFactor Unveils an Innovative Authentication App for iPhones and iPads
The new PhoneFactor App harnesses the power of smartphones and tablets to provide unmatched convenience for users and out-of-band security for enterprises and banks. Here’s how it works:
Try it yourself:
Simply register for a demo account, download the PhoneFactor App from the Apple App Store, and enter the activation code provided on the demo registration screen.
~Sarah
Subscribe in a reader.
