Custom Top10 IT Security Events 2014

In our working terminology, there is one well-established English expression “threat landscape”. It is not normally translated into Russian (landscape of threats, yeah). If everything is extremely simplified, then this is the kind of thing on the basis of which companies make a choice: to buy more iron or spend money to protect the existing infrastructure. The dependence here is direct: if your trains constantly go off the rails, then this is not decided by the purchase of new locomotives.

You can evaluate the landscape (well, again) on a scale from affable to gloomy in different ways. Here, for example, is a version from our security experts: the results of 2014 , the forecast for 2015 and, for fans of numbers, numbers . What do the companies themselves think? We regularly ask them about it (more details here), but this year they decided to use another non-standard method.

Tracking of all significant news in the field of IT security, we are engaged in the editorial board of the Threatpost website . We decided to select 10 events of the outgoing year (for the site version in English ) according to a single criterion: the popularity of the relevant articles. And we got an interesting set of news relevant for IT people, our current and potential customers and security. It has absolutely no politics (that is, stories about Snowden and the NSA), and quite a few topics of a strategic plan. But the problems that need to be taken into account when assessing this very landscape right now have come to the fore. More details - under the cut.

10th place. TrueCrypt: the first (conditionally) verified distribution after the May epic failure
News . The drama is in the details .

“There is such a thing. TrueCrypt is not secure, but we will not tell you why. Use standard encryption in Windows. And we say goodbye. ” In a free interpretation, the message on the website of the developers of the popular TrueCrypt encryption system sounded just like that (and still hangs there , by the way). When you choose a security system (and it doesn’t matter whether it’s paid or free, encryption or antivirus), you evaluate the convenience, functionality, and arguments for the effectiveness of a particular security approach. But first of all, you should trust her, since it is too expensive to conduct an audit of the code yourself (even if it is available).

In the case of TrueCrypt, we were dealing with a really effective, simple and free encryption tool, which, at the same time, was developed by an anonymous group of authors. It is still not clear what exactly happened: either an incurable bug was really discovered, or the authorities recommended to close the shop, or simply tired of coding. More than six months have passed since the closure of the project, and apparently we will not find out the whole truth.

All hope is only for the collective initiative of the Open Crypto Audit Project , the purpose of which in relation to TrueCrypt is just the very code audit (and not only). At the end of June on GitHub was postedverified distribution TrueCrypt version 7.1a. Does this mean that the holes were not found and everything is fine? Alas, no, this is still a long way off. So far, we have managed to make sure that the source and builds of this version are, umm, really the source and builds of this version. Version 7.1a code was studied in the first part of the audit (the results were published in April). We are waiting for updates that you can follow, for example, here .

9th place. DDoS attack on UltraDNS
News .

The April attack on the UltraDNS service with a capacity of up to 100 gigabits per second using the DNS Amplification method led to the inaccessibility of the company's customers (including, for example, the Forbes magazine website) for several hours. It seems to be nothing special, especially compared to other DDoS attacks of this year, with a capacity of up to 400 Gb / s (already using vulnerabilities in the NTP protocol). The problem is that such attacks have become the norm. Unlike the most complex attacks, sometimes aimed at single targets (for example, see our latest Regin campaign report, 27 victims), DDoS is a universal problem. According to our data, at least 18% of companies have already encountered DDoS. And if, for example, spam (problem number one) causes indirect damage, then the loss from the inaccessibility of the website is direct and is reflected in lost sales and loss of reputation. This year's trend was just attacks with a shoulder, using holes in the fundamental network protocols, as well as a combination of DDoS and targeted attacks on AKA stun and steal a wallet. We will return to this topic today.

Topic: Detailed description of the DDoS Trojan for Linux.


The targeted attack of Dark Hotel is a non-trivial way to steal data from employees on a business trip.

8th place. Lock Bypass in iOS 7.1.1
News.

The April iOS 7.1.1 update, as well as the patch for Mac OS X, actually closed a serious hole in Apple's SSL protocol implementation (but not this one ). As often happens, old bugs were replaced by new ones, one of them partially circumvented the blocking system on the Apple iPhone 5 / 5s, and gained access to the address book. It is noteworthy that in the traditional scheme of such hacks “we quickly press on different buttons and poke variously on the screen” this time the voice assistant Siri was included.

As we all know, any news about Apple is a powerful traffic generator, so the holes in the apple devices simply had to get into our rating. As in the case of UltraDNS, the vulnerability itself is not indicative, but the industry’s attention to mobile devices: companies are increasingly seeing them as a threat, although they understand that using smartphones at work will not work.

According to our data, in 22% of companies have already encountered security problems associated with the theft or loss of mobile phones. Any security bypass in such an environment is a problem. Especially if corporate smartphones were not really protected. Or if the protection systems did not work. Along with bypassing the lock in the same version of iOS, another problem was discovered: mail encryption did not apply to attachments. Access to the phone’s file system provided access to attachments, which, you see, is somehow wrong.


Epic Turla - March study of the complex relationships between different APTs.

7th place. Internet from broken, behave accordingly
News .

If I were asked to non-verbally convey the state of security on the Internet with the help of two music videos, I would do it like this (your options for Wellcome in the comments, we’ll also talk about music and associations).

Desired state of affairs:


The real state of affairs:


Verbally, the state of affairs with Internet security was expressed in February this year by the head of our team of experts, Kostin Raiu: the Internet is broken. This is not paranoia, not FUD, not advertising: this is the case. Wherever you look, large-scale and poorly treatable problems are observed everywhere: with critical network protocols, with encryption, with mail, with the web, and with everything.

What to do? Going back to typewriters and other cyberpunk won't help , it's like at the dawn of a car boom, betting on horse traction. It is necessary to take this fact into account and build a defense strategy accordingly. “You have not closed there ... but an open fracture!” We will take this sad fact into account and return to the details.

6th place. Malicious node Tor
News .

Another interesting story on the topic of trust in security systems, in this case: an anonymity tool. At the end of October, researcher Josh Pitts discovered the output node of the Tor network, which on the fly added malicious code to any executable file downloaded by the user. A node located in Russia was quickly blocked by the network administration. The way to protect against such hacks is clear: do not trust anyone. More specifically: another layer of encryption never hurts. HTTPS traffic was naturally not affected by this hack.


Cross-platform (Windows, Max OS X, Linux, iOS) The Mask / Careto spyware campaign .

5th place. DDoS + targeted attack. Defeat Code Spaces
News .

When Target was stolen from an American retail chaindata of 70 million customers, it was unpleasant, but the shops and goods in them remained in place. If your business is 100% networked, then a targeted attack can destroy it all at once. This is exactly what happened in June this year with Code Spaces, which sold its own collaborative development and version tracking system.

The initial DDoS attack on the company's servers was followed by hacking of the Amazon EC2 control panel, then the creators of the service began to extort money. The attempt to regain access was unsuccessful: the cracker re-gained control and deleted almost all the data. Within 12 hours, the company was destroyed: it was impossible to restore the data and recover losses, and most importantly - to restore the reputation.

In the old version of the siteCode Spaces focused on data backup reliability. “A simple backup does not make sense without a clear plan for recovering from a failure that has been tested in practice and has repeatedly proven to work.” Gold words!

4th place. POOOOOOODLE
News .

Coming up with non-standard names not only for malware, but also for vulnerabilities or specific attack scenarios, has become a fashionable trend in IT security this year. In this case, POODLE is short for Padding Oracle On Downgraded Legacy Encryption. The essence of the attack: to force the client and server to establish a secure connection to downgrade from a secure protocol (TLS) to insecure and outdated (SSL 3.0, marking coming of age this year). As a result, under certain conditions, it becomes possible to intercept secure traffic and, for example, steal a cookie and then intercept a session. The conditions for the attack are so specific that no real cases of exploitation have been recorded. However, during October, developers of major browsers released an update by completely disabling SSLv3, which solves the problem.

3rd place. Shellshock
News . Background . The development of events . FAQ FAQ .

$ env 'x = () {:;}; echo vulnerable '' BASH_FUNC_x () = () {:;}; echo vulnerable 'bash -c "echo test"

Another victim of creative naming (but agree, Shellshock sounds more interesting than CVE-2014-6271 ), this time it is a serious bug in the universal command shell for Unix-based operating systems. The second case after the bug in OpenSSL is when you can answer “yes all!” To the question “which systems are exposed to it” and even not really lie too much. Shellshock is actively exploited, vulnerability search scales perfectly, and the admins of the affected servers again got a chance to play the game "how to fix everything and not break anything."

Following the history of Shellshock and Heartbleed, we received a lot of feedback from our customers, and I especially wanted to note the difficulties that small businesses experience with such vulnerabilities. If a large company may well allocate a noticeable resource for searching for vulnerable nodes and updating them, in small companies often either one IT specialist answers everything or there is no “admin” in the state at all. Therefore, the typical question asked by the owners of such companies is “how much does bashbug (heartbleed, etc.) threaten my business?”.

This is actually a non-trivial question. Is the office mail server that you once configured for a long time and since then it works? File server? What about cloud infrastructure rented from a third-party company? Network router What else? But what if it suddenly turns out that the patch released by the vendor does not really close the hole? Vulnerability in Bash brought a lot of problems to the operators of mission-critical systems, which you just can’t upgrade to, but on the other side there are thousands of small companies that suddenly had to deal with an unfriendly, confusing and dangerous IT environment.

2nd place. Heartbleed
The news . Background . Conclusions .

I won’t even waste time describing the bug, better thanXKCD still doesn’t work:



There has been a lot of controversy about “what's cooler - Heartbleed or Shellshock ”? On the one hand, a vulnerability in Bash leads to the execution of arbitrary code, while a hole in OpenSSL only allows access to data. On the other hand, the Heartbleed story aroused markedly greater interest. Perhaps the point is absolute uncertainty at the time of publication of data on the vulnerability. Who is affected? Who was hacked? Could you steal the data and which ones? Who are the victims - mail on Yahoo or online banking? Okay, we patched our servers, but did the contractors do this? Partners? Can they trust their data? I seem to have said that the Internet is broken? :)

1st place. Concealment of malicious code in image metadata in PNG format.
The news .Discussion on Reddit .

Uh ...



Well, actually this is an interesting method of web attack. We load an innocent picture in PNG format, from which we extract metadata, but in them just a malicious code is hidden. As a result, an invisible iframe is redirected to a visitor to an infected site with a redirect to another site from which an attack is already being conducted. Interestingly, yet another method of obfuscating malicious code is somehow not enough for a sensation, and yet this is the most visited article on the English version of Threatpost in the past year.

How so? Thanks I must say to the discussion on Reddit at the link above. And, more importantly, the original interpretation of the original newsletter in the style of “PNG found zero day! 111 AAAAA!”. The prospect of being attacked by loading a simple image really looks daunting. Fortunately, this time the broken Internet was completely broken.

So, the most popular story of the year turned out to be not about technology, but about perception. What happened with this news can be compared to the hack of Sony Pictures Entertainment, which is discussed even in movie magazines, completely losing any technical details along the way, but making you think about network security in general. Cyberattacks have become so widespread that just “another” is no longer attracting attention, the eye is blurred, the sight is down. The most interesting is only the very apocalyptic news like Sony Hack, Shellshock and "infect the whole world with one picture." In 2014, there were many, and this is bad. I hope that based on the results of these high-profile events, companies will reconsider their views on the protection of important data. And it will be good.