فا

‫ Top 10 in 2011: An 'explosive' year in security

IRCRE201201087

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011. What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

1. The rise of Hacktivism

It’s difficult to imagine someone reading this list who has not yet heard of Anonymous, LulzSec or TeaMp0isoN. Throughout 2011, these groups, together with others were actively involved in various operations against law enforcement agencies, banks, governments, security companies or just major software vendors. Sometimes working together, in other cases, working against each other, these groups emerged as one of the main actors of 2011, through incidents such as security breaches of networks belonging to the United Nations, security intelligence firm Stratfor, FBI contractor IRC Federal, US Defense contractor ManTech or the CIA website. Interestingly, some of these incidents, such as the Stratfor hack revealed major security problems such as the storing of CVV numbers in unencrypted format, or extremely weak passwords used by the administrator.

Overall, the rise of hacktivism was one of the major trends of 2011 and no doubt, it will continue in 2012 with similar incidents.
2. The HBGary Federal hack

Although related to the first item on this list, I’d like to point this out as a separate story. In January 2011, hackers from the ‘Anonymous’ hacker collective broke into HBGary Federal’s webserver “hbgaryfederal.com” through an SQL injection attack. They were able to extract several MD5 hashes for passwords belonging to the company CEO, Aaron Barr and COO, Ted Vera. Unfortunately, both used passwords were very simple: six lowercase letters and two numbers. These passwords allowed the attackers to get access to the company’s research documents and tens of thousands of mails stored on Google Apps.

I believe this story is relevant because it shows an interesting situation – the usage of weak passwords together with old software systems and cloud application can turn into a security nightmare. If the CEO and COO would have been using strong passwords, maybe none of this would have happened. Or, if they would have had multi-factor authentication enabled on Google Apps, the attackers wouldn’t have been able to access the superuser account and copy all the company e-mails. It’s important to point out that even if better security measures were into place, we can’t rule out the possibility that the persistent hackers wouldn’t have found another way in. Persistence and determination, together with time, gives the attackers the upper hand.
3. The Advanced Persistent Threat

Although many security experts despise this term, it has made its way into the media and rocketed to the top with incidents such as the RSA security breach or imposingly sounding incidents such as operation “Night Dragon,” “Lurid,” or “Shady Rat.” Interestingly, many of these operations were not too advanced at all. On the other hand, there were many cases in which zero-day exploits were used, such as the RSA breach. In this case, the attackers took advantage of CVE-2011-0609 – a vulnerability in Adobe Flash Player - to run malicious code on the target machine. Another interesting zero-day is CVE-2011-2462, a vulnerability in Adobe Reader, which was used in targeted attacks against U.S. Defense contractor ManTech. Several things stand out in these attacks – many cases involved zero-day vulnerabilities in Adobe software such as Flash Player or Adobe Reader.

Additionally, many of these attacks were directed at U.S. targets, notably companies working with the U.S. military or government. From this point of view, the “Lurid” attack was interesting because it mainly targeted countries in the Eastern part of Europe, such as Russia or the CIS. These attacks confirm the emergence of powerful nation-state actors and the establishment of cyber-espionage as common practice.

Additionally, many of these attacks seem to be connected and have major global ramifications. For instance, the RSA breach was notable because the attackers stole the database of SecurID tokens, which was later used in another high-profile attack.

4. The Comodo and DigiNotar incidents

On March 15th 2011, one of the affiliates of Comodo, a company known for its security software and SSL digital certificates, was hacked. The attacker quickly used the existing infrastructure to generate nine fake digital certificates, for web sites such as mail.google.com, login.yahoo.com, addons.mozilla.com or login.skype.com. During the incident analysis, Comodo was able to identify the attacker as operating from the IP address 212.95.136.18, in Tehran, Iran. If in the Comodo incident, only nine certificates were created, the DigiNotar breach was a lot bigger. On 17th June 2011, the hackers began poking at the DigiNotar servers and during the next five days, managed to get access to the infrastructure and generate over 300 fraudulent certificates. The hacker left a message in the form of a digital certificate containing a message in the Persian language, “Great hacker, I will crack all encryption, I break your head!” To make the link with Iran more solid, days later, the fake certificates were used in a man-in-the-middle attack against over 100,000 GMail users from Iran.

The attacks against Comodo and DigiNotar are an indication of two emerging trends: first of all, we already have the loss of trust in the certificate authorities (CA), but in future, CA compromises may become even more popular. Additionally, more digitally signed malware will appear.
5. Duqu

In June 2010, researcher Sergey Ulasen from the Belarussian company VirusBlokada discovered a most intriguing piece of malware which appeared to use stolen certificates to sign its drivers, together with a zero-day exploit which used .LNK files for replication in a typical Autorun fashion. This malware became world famous under the name “Stuxnet,” a computer worm containing a very special payload, directly aimed at Iran’s nuclear program.

Duqu Trojan created by the same people as Stuxnet, Duqu was discovered in August 2011 by the Hungarian research lab CrySyS. Originally, it wasn’t known how one gets infected with Duqu – later, malicious Microsoft Word documents exploiting the vulnerability known as CVE-2011-3402 were discovered as a means of entry for Duqu. Compared to Stuxnet, the purpose of Duqu is quite different; this Trojan is actually a sophisticated attack toolkit which can be used to breach a system and then systematically siphon information out of it. New modules can be uploaded and run on the fly, without a filesystem footprint. The highly modular architecture, together with the small number of victims around the world made Duqu so hard to detect for years – the first trace of Duqu related activity we were able to find actually dates back to August 2007. In all the incidents we have analyzed, the attackers used an infrastructure of hacked servers to move the data, sometimes hundreds of megabytes, out of the victim’s PCs. Duqu and Stuxnet represent the state of the art in cyberwarfare and hint that we are entering an era of cold cyberwar, where superpowers are fighting each other unconstrained by the limitations of real world war.

source: ZDNet website


نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

مشخصات خبر

 
تاریخ ایجاد: 25 بهمن 1390

برچسب‌ها

امتیاز

امتیاز شما
تعداد امتیازها: 0