Top vulnerabilities of the year

    November 30 was the International Day for the Protection of Information. The holiday appeared almost 30 years ago - in 1988, when the first mass epidemic of the Morris "worm" was recorded.

    We hold safety meetings on a regular basis, and today we can afford to do without another announcement (just follow the events on the blog). Top the main vulnerabilities of 2015 will help to stir up everyone who is somehow connected with the protection of information, and recall the methods of information security.

    And again a rake

    The year began interestingly. The community didn’t get cool from the news about the HeartBleed error , which, perhaps, was the largest informational vulnerability in history, as they revealed a comparable-sized vulnerability, code-named GHOST. A critical hole was found in the Glibc system library and manifested itself when specially crafted data was processed in the gethostbyname () and gethostbyname2 () functions, which are used in many programs to convert the host name to IP address. The problem affected Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 10.04 and 12.04, SUSE Linux Enterprise 10 and 11. It is interesting that the bug has been present in the code since 2000 and was fixed back in May 2013. , but without indicating that the vulnerability could have serious consequences. As a result, a huge number of distributions simply ignored the upgrade to a stable version of the package.

    Ancient evil has awakened

    In the spring, server-side and client-side implementations of TLS / SSL discovered a critical vulnerability called FREAK . She affected Android devices and the Safari browser. Dangers are also subject to sites using SSL technology. The most amazing thing is that this vulnerability has been around for many years. Until 1999, the United States banned the export of devices with strong cryptographic protection. To circumvent this limitation, companies had to build in weaker protection, in fact leaving future crackers with an open SSL door.

    A matter of time was to identify a way to conduct a man-in-the-middle-attack and force the TLS client to use vulnerable ciphers from the server. Hacking such ciphers takes only a few hours, because they are based on 512-bit encryption keys.

    Constant heading "Vulnerability in Flash"

    On July 14, Adobe released an update for Flash Player that covers a critical vulnerability that could allow remote control of a system in Windows, Linux, and OS X by covertly installing CryptoWall 3.0 file encryption. Due to the vulnerability found, it was possible to execute code in almost all existing browsers.

    In general, the year has passed under the motto "Let's bury Flash already." Facebook security chief Alex Stamos called on Adobe to close Flash forever. And the company Recorded Future conducted a study that examined vulnerabilities in popular exploit kits. Of the ten main vulnerabilities found in exploits, eight are targeted at the Flash plugin.

    Remote car hacking

    In July, Defcon 2015 talked about six vulnerabilities found in Tesla Model S that could be used to hack a car. However, this still requires access to the machine itself. Tesla promptly released a fresh update.

    In the same month, IS-Schnicks, in collaboration with Wired magazine, engaged in hacking Jeep Cherokee. Due to vulnerabilities in the Uconnnect car system, white hackers gained remote access to the multimedia system, wipers and air conditioners. Following the fall of the steering protection, in the end, managed to turn off the brakes. At the same time, the entire system was able to be hacked remotely. The system bug was hidden in stub keys inserted into the diagnostic port of the on-board computer. Such devices allow you to measure fuel efficiency and distance traveled.

    In February of this year, a vulnerability was discovered in the BMW ConnectedDrive infotainment system . Researchers conducted an attack by creating a fake base station. Using the substitution of network traffic, it was possible to lower the windows and open the doors, but not start the engine.

    95% of vulnerable users

    It is no secret that there is a direct connection between the popularity of technology and the number of attacks carried out on it. In July (hackers have a hot season in summer) , it suddenly turned out that almost a billion Android devices are vulnerable to gaining remote access to them via MMS. The Android built-in library for processing media files of various formats contained bugs that allowed to infect 95% of Android devices. Fortunately, Google promptly released an axis update. Unfortunately, old devices did not fall under this update.

    Hacking iOS 9

    In November, it is unknown to anyone, it is not known how iOS 9 was cracked . This was stated by Zerodium, a company that searches for and sells vulnerabilities. The company held a contest, the participants of which were required to find and use a gap in the Safari or Chrome browser. As a result, an unnamed group of hackers received $ 1 million for an exploit that allows you to remotely install arbitrary software on devices running iOS 9.

    Trend Encryption

    File encryption software came not just to Linux users, but to site administrators with their own web server deployed on the machine. The Linux.Encoder.1 Trojan downloads files with requirements to pay a ransom in bitcoins and a file containing the path to the public RSA key, after which it launches itself as a daemon and deletes the source files. This RSA key is subsequently used to store AES keys, with the help of which the Trojan encrypts files on the infected computer.

    The Trojan primarily encrypts files in user home directories and directories related to website administration. Only then Linux.Encoder.1 bypasses the rest of the system. Encrypted files receive the new .encrypted extension.

    As of November 12, 2015, there were about 2 thousand websites allegedly attacked by the Linux.Encoder ransomware. However, this Trojan was not the only one. Linux.Encoder.2 uses a different pseudo-random number generator, uses the OpenSSL library for encryption (and not PolarSSL, as in  Linux.Encoder.1 ), it encrypts in AES-OFB-128 mode.

    Instead of an epilogue

    There is still a whole month ahead, so it’s easy to imagine how the top 7 turns into the top 10. But while hackers are looking for zero-day vulnerabilities, the main danger is closer than you can imagine. This year at the international forum on practical safety, Positive Hack Days announced a banal, but eternal truth: the company's own employees remain one of the main sources of vulnerabilities. According to the analysis of 18 large state and commercial companies, some of which are part of Fortune Global, a significant decrease in the level of employee awareness of security issues was revealed. So take care of your colleagues first. Do a good deed - remind them of the importance of keeping a watch on security.

    Also popular now: